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There is a large amount of work dedicated to the formal verification of security protocols. In this 
paper, we revisit and extend the NP-complete decision procedure for a bounded number of sessions. 
We use a, now standard, deducibility constraint formalism for modeling security protocols. Our 
first contribution is to give a simple set of constraint simplification rules, that allows to reduce 
any deducibility constraint system to a set of solved forms, representing all solutions (within the 
bound on sessions). 

As a consequence, we prove that deciding the existence of key cycles is NP-complete for a 
bounded number of sessions. The problem of key-cycles has been put forward by recent works 
relating computational and symbolic models. The so-called soundness of the symbolic model 
requires indeed that no key cycle (e.g., enc(fc, fc)) ever occurs in the execution of the protocol. 
Otherwise, stronger security assumptions (such as KDM-security) are required. 

We show that our decision procedure can also be applied to prove again the decidability of 
authentication-like properties and the decidability of a significant fragment of protocols with 
timestamps. 

Categories and Subject Descriptors: F.3.1 [Logics and Meanings of Programs]: Verifying and Reasoning about 
Programs 

General Terms: Security 

Additional Key Words and Phrases: formal proofs, security protocols, symbolic constraints, veri- 
fication 



1. INTRODUCTION 

Security protocols are small programs that aim at securing communications over a public 
network, like Internet. Considering the increasing size of networks and their dependence 
on cryptographic protocols, a high level of assurance is needed in the correctness of such 
protocols. The design of such protocols is difficult and error-prone; many attacks are dis- 
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covered even several years after the publication of a protocol. Consequently, there has 
been a growing interest in applying formal methods for vaUdating cryptographic protocols 
and many results have been obtained. The main advantage of this approach is its rela- 
tive simphcity which makes it amenable to automated analysis. For example, the secrecy 
preservation is co-NP-complete for a bounded number of sessions [Amadio and Lugiez 
2000; Rusinowitch and Turuani 2001], and decidable for an unbounded number of ses- 
sions under some additional restrictions [Comon-Lundh and Cortier 2003; Durgin et al. 
1999; Lowe 1998; Ramanujam and Suresh 2005]. Many tools have also been developed to 
automatically verify cryptographic protocols, Uke [Armando et al. 2005; Blanchet 2001; 
Millen and Shmatikov 2001; Cremers 2008]. 

Generalizing the constraint system approach. In this paper, we re-investigate and ex- 
tend the NP-complete decision procedure for a bounded number of sessions [Rusinowitch 
and Turuani 2001]. In this setting (i.e. finite number of sessions), deducibility constraint 
systems have become the standard model for verifying security properties, with a spe- 
cial focus on secrecy. Starting with Millen and Shmatikov's paper [Millen and Shmatikov 
2001] many results (e.g. [Comon-Lundh and Shmatikov 2003; Baudet 2005; Bursuc et al. 
2007]) have been obtained and several tools (e.g. [Corin and Etalle 2002]) have been devel- 
oped within this framework. Our first contribution is to provide a generic approach derived 
from [Comon-Lundh and Shmatikov 2003] to decide general security properties. We show 
that any deducibiUty constraint system can be transformed in (possibly several) much sim- 
pler deducibility constraint systems that are called solved forms, preserving all solutions 
of the original system, and not only its satisfiability. In other words, the deducibiUty con- 
straint system represents in a symboUc way all the possible sequences of messages that 
are produced, following the protocol rules, whatever are the intruder's actions. This set 
of symbolic traces is infinite in general. Solved forms are a simple (and finite) represen- 
tation of such traces and we show that it is suitable for the verification of many security 
properties. We also consider sorted terms, symmetric and asyimnetric encryption, pairing 
and signatures, but we do not consider algebraic properties like Abelian groups or exclu- 
sive or. In addition, we prove termination in polynomial time of the (non-deterministic) 
deducibility constraint simplification. Compared to [Rusinowitch and Turuani 2001], our 
procedure preserves all solutions. Hence, we can represent for instance, all attacks on the 
secrecy and not only decide if there exists one. Moreover, presenting the decision proce- 
dure using a small set of simplification rules yields more flexibility for further extensions 
and modifications. 

The main originaUty is that the method is applicable to any security property that can 
be expressed as a formula on the protocol trace and the agent memories. For example, our 
decision procedure (published in the LPAR'06 proceedings [Cortier and Zalinescu 2006]) 
has been used in [Cortier et al. 2006] for proving that a new notion of secrecy in presence 
of hashes is decidable (and co-NP-complete) for a bounded number of sessions. It has also 
been used in [Cortier et al. 2007] in the proof of modularity results for security of proto- 
cols. To iUustrate the large applicabihty of our decision procedure, we show in this paper 
how it can be used for proving co-NP-completeness of three kinds of security properties: 
the existence of key cycles, authentication-like properties, and secrecy of protocols with 
timestamps. 

For authentication properties, we introduce a small logic that allows to specify authen- 
tication and some similar security properties. Using our solved forms, we show that any 
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property that can be expressed within this logic can be decided. The logic is smaller than 
NPATRL [Syverson and Meadows 1996] or VS-hTL [Corin et al. 2005; Corin 2006], but 
we believe that decidability holds for a larger logic, closer to the two above ones. How- 
ever, the goal of this work is not to introduce a new logic, but rather to highlight the proof 
method. Note also that the absence of key cycles cannot be expressed in any of the three 
mentioned logics because it is not only a trace property but also a property of the message 
structure (see below). 

For timestamps, we actually retrieve a significant fragment of the decidable class identi- 
fied by Bozga et al [Bozga et al. 2004]. We believe that our result can lead more easily to an 
implementation, since we only need to adapt the procedure implemented in AVISPA [Ar- 
mando et al. 2005], while Bozga et al have designed a completely new decision procedure, 
which de facto has not been implemented. 

Application to key cycles. Our second main contribution is to use this approach to pro- 
vide an NP-complete decision procedure for detecting the generation of key cycles during 
the execution of a protocol, in the presence of an intruder, for a bounded number of ses- 
sions. To the best of our knowledge, this problem has not been addressed before. The key 
cycle problem is a problem that arises from the cryptographic community. Indeed, two dis- 
tinct approaches for the rigorous design and analysis of cryptographic protocols have been 
pursued in the literature: the so-called Dolev-Yao, symbolic, or formal approach on the 
one hand and the cryptographic, computational, or concrete approach on the other hand. 
In the symbolic approach, messages are modeled as formal terms that the adversary can 
manipulate using a fixed set of operations. In the cryptographic approach, messages are 
bit strings and the adversary is an arbitrary probabilistic polynomial-time Turing machine. 
While results in this model yield strong security guarantees, the proofs are often quite in- 
volved and only rarely suitable for automation (see, e.g., [Goldwasser and Micali 1984; 
Bellare andRogaway 1993]). 

Starting with the seminal work of Abadi and Rogaway [Abadi and Rogaway 2002], 
recent results investigate the possibiUty of bridging the gap between the two approaches. 
The goal is to obtain the best of both worlds: simple, automated security proofs that entail 
strong security guarantees. The approach usually consists in proving that the Dolev-Yao 
abstraction of cryptographic primitives is correct as soon as strong enough primitives are 
used in the implementation. For example, in the case of asymmetric encryption, it has 
been shown [Micciancio and Warinschi 2004b] that the perfect encryption assumption is a 
sound abstraction for IND-CCA2, which corresponds to a well-established security level. 
The perfect encryption assumption intuitively states that encryption is a black-box that can 
be opened only when one has the inverse key. Otherwise, no information can be learned 
from a cipher-text about the underlying plain-text. 

However, it is not always sufficient to find the right cryptographic hypotheses. Formal 
models may need to be amended in order to be correct abstractions of the cryptographic 
models. A widely used requirement is to control how keys can encrypt other keys. In a 
passive setting, soundness results [Abadi and Rogaway 2002; Micciancio and Warinschi 
2004a] require that no key cycles can be generated during the execution of a protocol. 
Key cycles are messages like ciic(/;;, k) or cnc(/;;i, k2); cnc(fc2, ki) where a key encrypts 
itself or more generally when the encryption relation between keys contains a cycle. Such 
key cycles have to be disallowed simply because usual security definitions for encryption 
schemes do not yield any guarantees otherwise. In the active setting, the typical hypotheses 
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are even stronger. For instance, in [Backes and Pfitzmann 2004; Janvier et al. 2005] the 
authors require that a key k never encrypts a key generated before k or, more generally, 
that it is known in advance which key encrypts which one. More precisely, the encryption 
relation has to be compatible with the order in which keys are generated, or more generally, 
it has to be compatible with an a priori given ordering on keys. 

Related work on key cycles. Some authors circumvent the problem of key cycles by 
providing new security definitions for encryption. Key Dependent Messages security, or 
KDM in short, that allow key cycles [Adao et al. 2005; Backes et al. 2007]. However, 
the standard security notions do not imply these new definitions, and ad-hoc encryption 
schemes have to be constructed. Most of these constructions use the random oracle model, 
which is provably non implementable. Though there was some recent progress [Hofheinz 
and Unruh 2008] towards constructing a KDM-secure encryption scheme in the standard 
model, none of the usual, implemented encryption schemes has been proved to satisfy 
KDM-security. 

In a passive setting. Laud [Laud 2002] proposed a modification of the Dolev-Yao model 
such that the new model is a sound abstraction even in the presence of key cycles. In his 
model the intruder's power is strengthened by adding new deduction rules. With the new 
rules, from a message containing a key cycle, the intruder can infer all keys involved in 
the cycle as well as the messages encrypted by these keys. Subsequently, Janvier [Janvier 
2006] proved that the intruder deduction problem remains polynomial for the modified 
deduction system. It was also suggested that this approach can be extended to active in- 
truders and incorporated in existing tools, though, to the best of our knowledge, this has 
not been completed yet. Note that the definition of key cycles used in [Janvier 2006] is 
more permissive than in [Abadi and Rogaway 2002] (which is unnecessarily restrictive) 
and it corresponds to the approach of Laud [Laud 2002]. 

Deciding key cycles. In this paper, we provide an NP-complete decision procedure for 
detecting the generation of key cycles during the execution of a protocol, in the presence 
of an active intruder, for a bounded number of sessions. Our procedure works for all 
the above mentioned definitions of key cycles: strict key cycles (a la Abadi, Rogaway), 
non-strict (a la Laud) key cycles, key orderings (a la Backes). We therefore provide a 
necessary component for automated tools used in proving strong, cryptographic security 
properties, using existing soundness results. Since our approach is an extension of the 
transformation rules derived from the result of [Rusinowitch and Turuani 2001], we beheve 
that our algorithm can be easily implemented since it can be adapted from the associated 
procedure, already implemented in AVISR\ [Armando et al. 2005] for deciding secrecy 
and authentication properties. 

Outline of the paper. The messages and the intruder capabiUties are modeled in Sec- 
tion 2. In Section 3.1, we define deducibility constraint systems and show how they can be 
used to express protocol executions. In Section 3.2, we define security properties and their 
satisfaction. In Section 4, we show that the satisfaction of any (in)security property can be 
non-deterministically, polynomially reduced to the satisfiability of the same problem, this 
time on simpler constraint systems. The simplification rules derived from [Comon-Lundh 
and Shmatikov 2003] are provided in Section 4.1. They are actually not sufficient to en- 
sure termination in polynomial time. Thus we introduce in Section 4.6 a refined decision 
procedure, which is correct, complete, and terminating in polynomial time. We show in 
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Section 5 how this approach can be used to obtain our main result of NP-completeness 
for the decision of the key cycles generation. In Section 6, we introduce a small logic 
to express authentication-like properties and we show how our technique can be used to 
decide any formula of this logic. In Section 7, we show how it can be used to derive NP- 
completeness for protocols with timestamps. Some concluding remarks about further work 
can be found in Section 8. 

2. MESSAGES AND INTRUDER CAPABILITIES 
2.1 Syntax 

Cryptographic primitives are represented by function symbols. More specifically, we con- 
sider a signature {S, J^) consisting in a set of sorts <S = {s, Si . . .} and a set of function 
symbols T = {enc, enca, sign, ( ), priv}. Each function symbol is associated with an ar- 
ity: ar is a mapping from T to S* x S, which we write ar(/) = ,si x • • • x s„ s. 
The four first function symbols in are binary: for each of them there are Si, S2, s G S 
such that ar(/) = si x S2 — * s. The last symbol is unary: there are s,s' G S such that 
ar(/) = s ^ s'. 

The symbol ( ) represents the pairing function. The terms enc(TO, k) and cnca(rn, k) 
represent respectively the message m encrypted with the symmetric (resp. asymmetric) 
key k. The term sign(m. k) represents the message m signed by the key k. The term 
priv(a) represents the private key of the agent a. For simphcity, we confuse the agents 
names with their pubUc key. (Or conversely, we claim that agents identities are defined by 
their public keys). 

TV = {a, 6 . . .} is a set of names and X = {x, y . . .} is a set of variables. Each name 
and each variable is associated with a sort. We assume that there are infinitely many names 
and infinitely many variables of each sort. 

The set of terms of sort s is defined inductively by 

t ::= term of sort s 

I X variable x of sort s 

I a name a of sort s 

I f{t\, . . . ,tn) application of symbol f & T such that ar(/) = si x • • • x s„ — > s 
and each ti is a term of sort Sj . 

We assume a special sort Msg that subsumes all the other sorts: any term is of sort Msg. 

Sorts are mostly left unspecified in this paper. They can be used in appHcations to 
express that certain operators can be appUed only to some restricted terms. For example, 
we use sorts explicitly to express that messages are encrypted by atomic keys (only in 
Section 5), and to represent timestamps (only in Section 7). 

As usual, we write V{t) for the set of variables occurring in t. For a set T of terms, V(r) 
denotes the union of the variables occurring in the terms of T. A term t is ground or closed 
if and only if V{t) = 0. A position or an occurrence in a term t is a sequence of positive 
integers corresponding to paths starting from the root in the tree-representation of t. For 
a term t and a position p in this term, t\p denotes the subterm of t at position p. We write 
Stif) and St{T) for the set of subterms of a term t, and of a set of terms T, respectively. 
The size of a term t, denoted \t\, is defined inductively as usual: \t\ = 1 if t is a variable 
or a name and t = 1 + J2i=i ift = /(ti, . . . , f„) for / € If T is a set of terms 
then \T\ denotes the sum of the sizes of its elements. The cardinaUty of a set T is denoted 
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S\- X Sh y Sh X Shy 

Pairing Symmetric encryption 

S \- {x,y) S \- enc(a;, y) 

S\- X Sh y Sh X S\-y 

Asymmetric encryption Signing 

S h cnca(a;, y) S \- sign(a;, y) 

Shcnc{x,y) Shy S\-{x,y) 

Symmetric decryption First Projection 

S\-x S\-x 

S h enca(r£, y) S h priv(j;) S h {x, y) 

Asymmetric decryption Second Projection 

Shx Shy 

S h sign(a;, y) 

Unsigningf optional) Axiom 



Shx S,xhx 

Fig. 1. Intruder deduction system. 

by flT. By abuse of notation, we sometimes denote by T, u the set T U {u}. 

Substitutions are written a = {*Va;i : • ■ • j } with dom((T) = {xi , . . . , a;„}. We only 
consider well-sorted substitutions, for which Xi and ti have the same sort, a is closed if 
and only if every ti is closed. The application of a substitution cr to a term t is written (j{t) 
or t(T. A most general unifier of two terms u and v is denoted by mgu(u, v). 

2.2 Intruder capabilities 

The ability of the intruder is modeled by the deduction rules displayed in Figure 1 and 
corresponds to the usual Dolev-Yao rules. 

Pairing, signing, symmetric and asymmetric encryption are the composition rules. The 
other rules are decomposition rules. Intuitively, these deduction rules say that an intruder 
can compose messages by pairing, encrypting, and signing messages provided she has 
the corresponding keys and conversely, she can decompose messages by projecting or de- 
crypting provided she holds the decryption keys. For signatures, the intruder is also able 
to verify whether a signature sign(m, k) and a message m match (provided she has the 
verification key), but this does not give rise to any new message: this capability needs not 
to be represented in the deduction system. We also consider an optional rule 

S h sign(a;, y) 

that expresses the ability to retrieve the whole message from its signature. This prop- 
erty may or may not hold depending on the signature scheme, and that is why this rule is 
optional. Note that this rule is necessary for obtaining soundness properties w.r.t. crypto- 
graphic digital signatures. Our results will hold in both cases, whether or not this rule is 
considered in the deduction relation. 

A proof tree (sometimes simply called a proof) is a tree whose labels are sequents T \- u 
where T is a finite set of terms and u is a term. A proof tree is inductively defined as 
follows: 

— ^if M is a term and u G T, then T h m is a proof tree whose conclusion is T h u, using 
the axiom; 
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— if TTl, . . . , 7r„ are proof trees, whose respective conclusions are T h wi, . . . , T h m„ 

5 h /i ■ ■ ■ Sh ta 

respectively and is a rule R of the Figure 1 such that, for some 

S^t 

TTl • • • 7r„ 

(well-sorted) substitution cr, 1 1 ct = mi , . . . , t„cr = «„, then is a proof tree 

using i?, whose conclusion is T h ta. 

We will call subproof a subtree of a proof tree. An .sfncf subproof (resp. immediate 
subproof) of TT is a subproof of tt distinct from tt (resp. a maximal strict subproof of if). 

A term u is deducible from a set of terms T, which we sometimes write T \- uhy abuse 
of notation, if there exists a proof tree whose conclusion is T h m. 

Example 2. 1 . The term (fci, fc2) is deducible from the set Si = {enc(fci, A;2), ^2}, as 
the following proof tree shows: 

h enc(/ci, /C2) S'l I- ^2 

Si h fci S'l h k2 

Si h (fci,fc2) 

3. DEDUCIBILITY CONSTRAINT SYSTEMS AND SECURITY PROPERTIES 

Deducibility constraint systems are quite common (see e.g. [Millen and Shmatikov 2001; 
Comon-Lundh and Shmatikov 2003]) in modeling security protocols. We recall here their 
definition and show how they can be used to specify general security properties. Then we 
prove that any deducibihty constraint system can be transformed into simpler ones, called 
solved. Such simplified constraints are then used to decide the security properties. 

3.1 Deducibility constraint systems 

In the usual attacker's model, the intruder controls the network. In particular she can 
schedule the messages. Once such a scheduling is fixed, she can still replace the messages 
with fake ones, which are nevertheless accepted by the honest participants. More precisely, 
some pieces of messages cannot be analyzed by the participants, hence can be replaced by 
any other piece, provided that the attacker can construct the overall message. This can be 
used to mount attacks. 

In the formal model, pieces that cannot be analyzed are replaced with variables. Any 
substitution of these variables will be accepted, provided that the attacker can deduce (us- 
ing the deduction system of Figure 1) the corresponding instance. The main problem then 
is to decide whether there is such a substitution, yielding a violation of the security prop- 
erty. 

Let us give a detailed example recalling how possible execution traces are formalized. 

Example 3.1. Consider the famous Needham-Schroeder asymmetric key authentica- 
tion protocol [Needham and Schroeder 1978] designed for mutual authentication: 



A^B 



enca{{NA,A),B) 
enca{{NA,NB),A) 
enca(iVB, B) 



The agent A sends to B his name and a fresh nonce (a randomly generated value) encrypted 
with the pubUc key of B. The agent B answers by copying A's nonce and adds a fresh 
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nonce Nb, encrypted by A's public key. The agent A acknowledges by forwarding i?'s 
nonce encrypted by B's public key. 

Formally, this protocol can be described using two roles A and B. The role A has two 
parameters: a, b (initiator and responder), and is (informally) specified as follows: 

A{a, b) : generate(na) 

Al. send(enca((ria, a), /;)) 

A2. receive(enca {ua, y),a) send(enca(j/, b)) 

where y is a variable: a cannot check that this piece of the message is a nonce generated 
by b. Hence it can be replaced by any term (or any term of a given sort, depending on what 
we want to model). 

Similarly, the role of B takes the two parameters b, a, and is specified as: 

B{b,a) : generate(n5) 

Bl. receive(enca((x, o), 6)) ^ send(enca((x, rib), a)) 
B2. receive(enca(n;„ b)) 

Without loss of generality, we may assume that send actions are performed as soon as 
the corresponding receive action is completed: this is the best scheduling strategy for the 
attacker, who will get more information for further computing fake messages. For this 
reason, we only need to consider the possible scheduling of receive events. 

Let a, b be honest participants and i be a corrupted one. Consider one session A{a, i) and 
one session B{b, a). There are three message deliveries to schedule: A2, Bl, B2 and B2 
has to occur after Bl. Assume the chosen scheduling is Bl, A2, B2. In this scenario, the 
possible sequences of message delivery are instances of enca((a;, a),b), enca((na, y),a), 
enca(nb , b) . The variables x , y can be replaced by any term, provided that the attacker can 
build the corresponding instances from her knowledge at the appropriate control point. 

The initial intruder knowledge can be set to Tq = {a, b, i, priv(i)}, including the private 
key of the corrupted agent. 

For the first message delivery, the attacker has to be able to build the first message 
instance from this initial knowledge and the message sent at step Al: 

def 

Ti = To U {cnca((na, a), «)} Ih enca((x, a), 6) (1) 

This notation will be formally defined later on. Informally, this is a formula, which is 
satisfied by a substitution ct on x if enca((a;, a),b)a is deducible from Ti, expressing the 
ability of the intruder to construct cnca((a;, a), b)a. 

Then, the agent b replies sending the corresponding instance enca((a;, n;,), a), which 
increases the attacker's knowledge, hence enabling its use for building the next message; 
we get the second deducibiUty constraint: 

T2 = Ti U {enca((a;, n^), a)} Ih enca((na, y), a) (2) 
Similarly, we construct a third deducibility constraint for the last message delivery: 

T3 = T2 U {enca(?/, i)} Ih enca(n6, b) (3) 

Definition 3.2. A deducibility constraint system C is a finite set of expressions T h u, 
called deducibility constraints, where T is a non empty set of terms, called the left-hand 
side of the deducibility constraint and u is a term, called the right-hand side of the de- 
ducibility constraint, such that: 
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(1) the left-hand sides of all deducibility constraints are totally ordered by inclusion; 

(2) if a; e V(T) for some (T Ih u) e C then 

= min{r' I (T' Ih u') €C,x€ V{u')} 

exists and C T. 

Informally, the first condition states that the intruder knowledge is always increasing. 
The second condition expresses that variables abstract pieces of received messages: they 
have to occur first on the right side of a constraint T \\- u, before occurring in some left side. 
Notethat,duetopoint(l),r^existsifandonlyiftheset{T' | (T' Ih u') e C,x e V{u')} 
is not empty. The linear ordering on left hand sides also implies the uniqueness of the 
minimum. Hence (2) can be restated equivalently as: 

(2) Vx e V(C), 3 (T Ih u) e C, a; G V{u) \ V(T) 

In what follows, we may use this formulation instead. 

The left-hand side of a deducibility constraint system C, denoted by Ihs(C), is the max- 
imal left-hand side of the deducibility constraints of C. The right-hand side of a deducibil- 
ity constraint system C, denoted by rhs(C), is the set of right-hand sides of its deducibility 
constraints. V(C) denotes the set of variables occurring in C. _L denotes the unsatisfiable 

def 

system. The size of a constraint system is defined as |C| = |lhs(C) U rhs(C)|. 

A deducibiUty constraint system C is also written as a conjunction of deducibiUty con- 
straints 

C= /\ {Tihui) 

l<i<n 

with Tj C Tj_|_i, for aU i with 1 < i < n — 1. The second condition in 

Definition 3.2 then implies that if a; e V(T^) then 3j < i such that Tj = and Tj C Tj. 

Definition 3.3. A solution cr of a deducibility constraint system C is a (weU-sorted) 
ground substitution whose domain is V(C) and such that, for every T Ih w G C, Ta h ua. 

Example 3.4. Coming back to Example 3.1, the substitution cri = {""/rj "Vj/} is a 
solution of the deducibility constraint system since 

To U {enca((na, a), i)} h enca((a;, a), 6)c7i 
TiCTi U {enca( (a;, rife), a)a-i} h enca((na, y), a)cri 
1 U {enca(j/, i)cri} h enca(n6,6) 

3.2 Security properties 

Deducibility constraint systems represent in a symbolic and compact way a possibly infi- 
nite set of traces (behaviors), which depend on the attacker's actions. Security properties 
are formulas, that are interpreted over these traces. 

Definition 3.5. Given a set of predicate symbols together with their interpretation over 
the set of ground terms, a (in)security property is a first-order formula (j) built on these 
predicate symbols. A solution of q!) is a ground substitution a of V((^) such that (j)a is true 
in the given interpretation. (We also write a \= </>). 

If C is a deducibiUty constraint system and (/> is a (in)security property, possibly sharing 
free variables with C, a closed substitution a from V((/)) U V(C) is an attack for and C, 
if is a solution of both C and cj). 
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Example 3.6. If the security property is simply true (which is always satisfied) and the 
only sort is Msg then we find the usual deducibility constraint system satisfaction problem, 
whose satisfiability is known to be NP-complete [Rusinowitch and Turuani 2003]. 

Example 3.7. Secrecy can be easily expressed by requiring that the secret data is not 
deducible from the messages sent on the network. We consider again the deducibility 
constraint system C\ defined in Example 3.1. The (in)security property then expresses 
that rib is deducible: cf) is the deducibility constraint T3 Ih rib. Note that we may view a 
constraint (system) as a first order formula. 

Then the substitution ai = {""/x, is an attack for ^ and Ci and corresponds to the 
attack found by G. Lowe [Lowe 1996]. Note that such a deduction-based property can be 
directly included in the constraint system by adding a deducibility constraint Ih n^. 

Example 3.8. Let us show here an example of authentication property. Two agents A 
and B authenticate on some message m if whenever B finishes a session believing he has 
talked to A then A has indeed finished a session with B and they share the same value 
for m. Note that the agents A and B have in general a different view of the message m, 
depending e.g. on which nonces they have generated themselves and on which nonces they 
have received. If niA denotes the view of m from A and niB the view of m from B, then 
the insecurity property states that there is a trace in which these two messages are distinct. 

Back to Example 3.1, consider another scenario with two instances of the role A: A{a, i) 
and A{a, b) and one instance of the role B: B{b, a). The attacker schedules the commu- 
nications as in Example 3.1: in particular the expected message delivery in A{a, b) is not 
scheduled (the message is not delivered). Then the deducibility constraint system C[ is 
identical to Ci, except that To is replaced with Tq = To U {cnca((n^, a), b)}. The nonce x 
received by b should correspond to the nonce sent by a for b; we consider ttia = n'^, 
niB = X. 

The failure of authentication can be stated as the simple formula x ^ v!^. The substitu- 
tion cTi defined in Example 3.7 is then an attack, since b accepts the nonce Ua instead of 

In Sections 5, 6, 7 we provide with other examples corresponding to time constraints, 
more general authentication-like properties, or to express that no key cycles are allowed. 

4. SIMPLIFYING DEDUCIBILITY CONSTRAINT SYSTEMS 

Using simplification rules, solving deducibility constraint systems can be reduced to solv- 
ing simpler constraint systems that we call solved. One nice property of the transformation 
is that it works for any security properly. 

Definition 4.1. A deducibility constraint system is solved if it is _L or each of its con- 
straints are of 

the form T W x, where x is a variable. 

This definition corresponds to the notion of solved form in [Comon-Lundh and Shmatikov 
2003]. Note that the empty deducibility constraint system is solved. 

Solved deducibility constraint systems with the single sort Msg are particularly simple 
in the case of the true predicate since they always have a solution, as noticed in [MiUen 
and Shmatikov 2001]. Indeed, let Ti be the smallest (w.r.t. inclusion) left hand side of all 
constraints of a deducibility constraint system. From Definition 3.2, Ti is non empty and 
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Ri CATIhu-w C ifru{x I (T' Ih a;) e C,T' CT}l-u 

R2 C AT\\-u -^aCa ATa\\-ua if a = mgu{t,u), t e St{T), 

t u, t. u not variables 
Ri CATIhM -^a Ca hTa\hua if cr = mgu(ti , t2), tl , t2 € 5t(T), 

tl 7^ i2i ilii2 not variables 
R'^ C AT\\-u -^a Ca ATa\hu<j if (t = mgu(t2,t3), enca(ti,t2),priv(t3) e St(T), 

*2 ta , t2 or t3 (or both) is a variable 
i?4 CATIhu ± ifV{T,?t) = 0andTI/w 

R/ C A T !!-/(«, I;) CATIhuATIhtJ for /€{(), enc, enca, sign} 



Fig. 2. Simplification rules. 



has no variables. Let t €Ti. Then the substitution 6 defined hyx9 = t for every variable x 
is a solution since T h a;^ = t for any constraint T I h a; in the solved system. 

4.1 Simplification rules 

The simplification rules we consider are defined in Figure 2. For instance, the rule i?i 
removes a redundant constraint, i.e., when it is a logical consequence of smaller constraints. 
The rule R3 guesses some identity (confusion) between two sent sub-messages. 

All the rules are in fact indexed by a substitution: when there is no index then the identity 
substitution is implicitly assumed. We write C C" if there are Ci, . . . , C„ with n > 1, 
C = Cn, C -^cri C\ ~^o-2 ■ • ■ "^cr„ Gn, and a = ctiCT2 ■ • ■ tT„. We write C C if 
C C for some n > 1, or if C" = C and u is the identity substitution. 

Example 4.2. Let us consider the following deducibiUty constraint system C: 

( Ti Ih (enca(a;, a), enca(j/,a)) 

where Ti = {o, (enca(A;i, a), enca(fc2, a))} and T2 = Ti U {enc(j/, a;)}. The deducibility 
constraint system C can be simpUfied into a solved form using (for example) the following 
sequence of simpUfication rules. 



^ 'Ti Ih cnca(x, a) 
C ^Ti Ih enca(y, a) -w" 
T2 Ih fci 



Ti Ih a R ' 



Ti Ih enca(?/, a) 

T2 Ih fci 



Ti Ih enca(y, a) 
T2 Ih ki 



since Ti h a. Let a = mgu (enca(fci, a), enca(y, a)) = {'^Vj/}. We have 

Ti Ih a; ^ f Ti Ih a; 

Tao- Ih fci 



Ti Ih enca(y,a) i^o- i Ti Ih enca(fci,a) ^ < 'j^ 5i Ti Ih x 



T2 Ih fci T2£7 Ih ki 

since Ti h enca(fci, a) and TaCT U {a;} h ki. Intuitively, it means that any substitution of 

/y] 



the form {"^f^, '^Vyl such that m is deducible from Ti is solution of C. 



The simplification rules are correct and complete: a deducibility constraint system C 
has a solution, which is also a solution of a (in) security property (j), if and only if there 
exists a deducibility constraint system C in solved form such that C C and there is a 
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solution of both C" and (j)a. Note that several simplification rules can possibly be applied 
to a given deducibility constraint system. 

Theorem 4.3. Let C be a deducibility constraint system, 6 a substitution, and 4> a 

( in )security property. 

(7) (Correctness) If C C for some deducibility constraint system C and some sub- 
stitution a, and if 9 is an attack for (pa and C, then aO is an attack for (f> and C. 

(2) ( Completeness) If 9 is an attack for C and (f), then there exist a deducibility constraint 
system C in solved form and substitutions cr, 9' such that 9 = <j9' , C ~-+* C, and 9' 
is an attack for C and 4>a. 

(5) (Termination) There is no infinite derivation sequence C C\ 

Theorem 4.3 is proved in Sections 4.2, 4.3, and 4.4. 

Getting a polynomial bound on the length of simplification sequences requires however 
an additional memorization technique. This is explained in Section 4.6. 

4.2 Correctness 

We first give two simple lemmas. 
Lemma 4.4. IfT h u then V{u) c V(T). 

Proof. The statement follows by induction on the depth of a proof of T h m, observing 
that no deduction rule introduces new variables. Indeed, V{t) C (J. V{ti) for deduction 
rules of the form 

S^ti ... Shtk 

with fc > 0, and V{t) C V(5) for the axiom (that is, if i G S). □ 

The next lemma shows the "cut elimination" property for the deduction system h. 
Lemma 4.5. IfT \- u and T,u\- v then T \- v. 

Proof. Consider a proof wofThu and a proof tt' of T,u h v. The tree obtained 
from tt' by 

— ^replacing the nodes T,u\- t in tt' with T \- t, 

— ^replacing each new leaf T \- u (the old T,u\- u) with the tree tt, 

is a proof of T h t;. □ 

As a consequence, if T C T', T' h u , and T h u, for all « e T' \ T, then T \- v. 

We show now that the simplification rules preserve deducibiUty constraint systems. 

Lemma 4.6. The simplification rules transform a deducibility constraint system into a 
deducibility constraint system. 

Proof. Let C be a deducibihty constraint system, C = Ai(^» C C. 

Since Ti C T^+i implies Tia C Ti+icr, C satisfies the first point of the definition of 
deducibility constraint systems. 

We show that C" also satisfies the second point of the definition of deducibiUty constraint 
systems. Let (T' Ih u') G C" and a; G V(T'). We have to prove that exists and C T'. 
We distinguish cases, depending on which simplification rule is appUed: 
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— ^If the rule -Ri is applied, eliminating the constraint T Ih u. Then C = C\{T\\- u}. If 
T^T^T then = (and thus exists and C T'). Suppose that = T. Then 
there is (T Ih u") G C such that x e V{u"). If ?i 7^ ?i" then again = (since 
(T^ Ih m") G C). Finally, suppose that u = u" . By the minimality of T, it follows that 
X ^ V(T) and a; ^ {y I (T" Ih y) e C, T" C T}. Since a; e V(w), by Lemma 4.4, 
T U {y I (T" Ih y) G C, T" C T} ^ u, which contradicts the appHcability of rule Ri. 

— ^If one of the rules R2, R3 or R'^ is appUed, then, for each constraint (T" Ih u") G C", 
there is a constraint (T Ih u) G C such that Ta = T" and ua = u". Consider 
(T Ih m) G C such that Ta = T' and ua ^ u' . 

If a; is not introduced by a, then x G V(T). Then exists and T^; C T. Thus T^jCT C 
Tcr. If T^cr = Tcr, then x G V(Ta;), which contradicts the minimality of T^. Thus 
T^a C Ta. We also have that {T"a \ [V Ih u") G C, a; G V(w")} C {T"a \ {T"a Ih 
u'V) G C",a; G V(u"cr)}, since, for any term ti", if x G V(u"), then x G V(u"ct). It 
follows that exists and C T^a. Hence C T'. 

Otherwise, assume that a; is introduced by a: 3y G V{T) such that a; G V(t/(T). Then 
Tj^ exists and Ty C T. Let Y = {z e V{T) \ x G V{za)} and let yo e F be such that 
Ty^ = min{Tj^ | y G F}. For all y' G y, we have that 

A = {T"a I (T" Ih u") G C", a; G V{u")} 
= {Ta I (T Ih m) G C, a; G Viua)} 
D {Ta I (T Ih u) €C,3z€ V{u), x G V{za)} 
D {Ta I (T Ih u) G C, y' G V(m), x G V(yV)} 

= {Ta I (T Ih u) G C, y' G V(m)} = Bj;'. 

Thus T^ = min A C minB^' = Ty-a. From Ty^ C T, we obtain that Ty^a C Ta. 
Suppose, by contradiction, that Ty^a — Ta. Then x e V{Tyga) (since x G V{Ta)). 
That is, there existsz G V{Tyg) such that a; G V{za). From condition 2 of Definition 3.2 
applied to z, it follows that T^ C Tj^^^. As 2; is in Y, this contradicts the choice of yo. 
Thus T^ C Ty^a CTa = T'. 

— If the rule R4 is applied then there is nothing to prove. 

— ^If some rule Rf is applied, then the property is preserved, since, if a; G V{u") for some 
term u" such that (T" Ih u") G C", then there is a term v with x G V{v) such that 
(T" Ih v) G C. 

□ 

Lemma 4.7 correctness. TfC C", then for every solution t for C, ar is a 
solution ofC. 

Proof. If C" is obtained by applying then we have to prove that Tt h ut, where 
T Ih u is the eliminated constraint. We know that T U {a: | (T' Ih x) G C, T' C T} h u. It 
follows that Tt U {xt \ (T' Ih x) G C, T' C T} h ut. All constraints T' Ih a; in C with 
T' C T are also constraints in C". Thus, for all such constraints, we have that TV h xt, 
and hence Tt h xt. Then, from Lemma 4.5, we obtain that Tt h ut. 

If C" is obtained by applying R2, R3 or iJg, then, for every constraint T Ih « of C, 
{Ta)T h (ua)r, hence T{aT) h u(a-T). 
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If C" is obtained by applying some rule Rf, then we obtain that Tr h f{u,v)T from 
Tt h ur and Tr h t;r by applying the corresponding inference rule (e.g. encryption if 

/ = enc). 

Finally, C" cannot be obtained by the rule i?4, since it is satisfiable. 
It follows that, in all cases, err satisfies C. □ 

4.3 Completeness 

Let Ti C T2 C • • • C T„. We say that a proof tt of Tj h u is /e/? minimal if, whenever 
there is a proof of Tj h u for some j < i, then, replacing with Tj in all left members of 
the labels of tt, yields a proof of h u. In other words, the left-minimal proofs are those 
that can be performed in a minimal Tj . 

We say that a proof is simple if all its subproofs are left minimal and there is no repeated 
label on any branch. Remark that a subproof of a simple proof is simple. 

Lemma 4.8. If there is a proof of Ti h u, then there is a simple proof of it. 

Proof. We prove the property by induction on the pair (i, m) (considering the lexico- 
graphic ordering), where m is the size of a proof of Tj h u. 

If i = 1 then any (subproof of any) proof of Ti \- u is left minimal and there exists a 
proof without repeated labels on any path. 

If « > 1 and there is a j < i such that Tj h u, then we apply the induction hypothesis 
to obtain the existence of a simple proof of Tj h u. This proof is also a simple proof of 
Ti h u. 

If « > 1 and there is no j < i such that Tj \- u, then we apply the induction hypothesis 
on the immediate subproofs tti , . . . , 7r„ of the proof tt of Tj h u. If the label Tj h m appears 
in one of the resulting proofs tt'^, then replace tt with a subproof of tt^ whose conclusion 
is Tj h u. The new proof does not contain any label Tj h u. Otherwise, if tt is obtained 
by applying an inference rule i? to tti , . . . , 7r„, then replace tt with the proof obtained by 
applying i? to ttJ , . . . , tt'^. In both cases the resulting proof and all of its subproofs are left 
minimal by construction, and hence the resulting proof is simple. □ 

Lemma 4.9. Let C be a deducibility constraint system, 9 be a solution of C, Ti be 
a left hand side ofC such that, for any (T Ih v)&C,ifTC T, then v is a variable. 
Let u be any term. If there is a simple proof of TiO h u, whose last inference rule is a 
decomposition, then there is a non-variable t G St(Ti) such that t9 = u. 

Proof. Consider a simple proof tt of TiO h u. We may assume, without loss of gen- 
erality, that i is minimal. Otherwise, we simply replace everywhere in the proof Tj with a 
minimal Tj such that TjO h u is derivable; by left minimality, we get again a proof tree, 
whose last inference rule is a decomposition. Such a Tj C Tj also satisfies the hypotheses 
of the lemma. 

We reason by induction on the depth of the proof tt. We make a case distinction, de- 
pending on the last rule of tt: 

The last rule is an axiom. Then u € TiO and there is t S Tj (thus t € St{Ti)) such that 
to = u. By contradiction, if t was a variable then Tt \\- w, with t e V{w) is a constraint in 
C such that Tt CTi. Moreover, by hypothesis of the lemma, w must be a variable. Hence 
w = t. Then TtO h u, which contradicts the minimality of i. 
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The last rule is a symmetric decryption. 

TTi 772 

7r= Tj^ h enc(u, Tj^ h w 
W h u 

By simplicity, the last rule of tti cannot be a composition: Tjfi 'r u would appear twice 
on the same path. Then, by induction hypothesis, there is a non variable t £ St(Ti) such 
that to = enc(u, w). It follows that t = enc{t', t") with t'9 = u. If t' was a variable, 
then Tt'9 \- t'9 would be derivable. Hence Tj/6' \- u would be derivable, which again 
contradicts the minimality of i. Hence t' is not variable, as required. 

The last rule is an asymmetric decryption, (resp. projection, resp. unsigning). The proof 
is similar to the above one: by simplicity and by induction hypothesis, there is a non- 
variable t G St{Ti) such that t0 = enca,{u,v) (resp. t9 = {u,v),Tesp. t9 = sign(M, priv(i;))). 
Then t = enca(t', t") (resp. t = {t', t"), resp. t = sign(t, t")). t' e St{Ti), t'9 = u and, 
by minimaUty of i, t' is not a variable. 

□ 

Lemma 4.10. Let C be a deducibility constraint system and 9 be a solution ofC. Let 
Ti be a left hand side of a constraint in C and u be a term, such that: 

(1) for any [T Ih v) G C, ifT C Ti, then v is a variable; 

(2) Ti does not contain two distinct non-variable subterms ti,t2 with tiO = <2^; 

(5) Ti does not contain two terms enca.{ti,x) and priv(t2) where x is a variable distinct 

from 1,2; 

(4) Ti does not contain two terms enca(ti, ^2) and priv(a;) where x is a variable distinct 
from t2; 

(5) u is a non-variable subterm ofTi; 

(6) Ti9hu9. 

Then T^ h u, where Tl^T^U{x\ {T \\- x) e C,T C TJ. 

Proof. Let j be minimal such that Tj9 \- u9. Thus j < i and Tj C Tj. Consider a 
simple proof tt of Tj6 h u9. We reason by induction on the depth of tt. We analyze the 
different cases, depending on the last rule of tt: 

The last rule is an axiom. Suppose, by contradiction, that u ^ Tj. Then there is f G Tj 
such that t9 = u9 and t ^ u.By hypothesis 5, u is not a variable and, by hypothesis 2 of 
the lemma, t, u cannot be both non-variable subterms of Tj. It follows that f is a variable. 
Then Tt9 h t9, which implies Tt9 h u9, contradicting the minimaUty of j, since Tt C Tj. 
Hence u G Tj and then T- \- u, as required. 

The last rule is the symmetric decryption rule. There is w such that Tj6 h enc(M6', w), 
TjO h w: 

Tj9\- enc{u9,w) Tje\-w 

Tj9 h u9 

By simplicity, the last rule of the proof of Tj9 h enc{u9,'w) is a decomposition. By 
Lemma 4.9, there is t G St{Tj), t not a variable, such that tO = enc{u9, w). Let t = 
enc{ti,t2) and ti6 = u6, t29 = w. By induction hypothesis, T/ h t. 
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If ti was a variable, then Tj^ C Tj and, by hypothesis 1 of the lemma, Tj^ must be the 
left-hand-side of a solved constraint: {Tf^ II- ti) S C and therefore Tt^O h u^, contradict- 
ing the minimality of j. 

Now, by hypothesis 5 of the lemma, u is a non-variable subterm of Tj, hence ti, u are 
two non variable subterms of Tj such that ti6 = u6. By hypothesis 2 of the lemma, this 
implies ti = u. 

On the other hand, if t2 is a variable, t2 & V(Tj) imphes £ since Tj is 

minimal unsolved, (Tj^ Ih € C, which impUes t2 € T-. If t2 is not a variable, then, 
from Tj6' h ™d by induction hypothesis, T/ ^ ^2- So, in any case, T/ h ^2- 

Now, we have both T-' h enc(w, ^2) and T^' h t2> from which we conclude that T-' I- u, 
by symmetric decryption. 

77ie last rule is an asymmetric decryption rule. There is a w such that Tj6 h priv(w) 
and TjO h enca(u^?, w). As in the previous case, there is a non-variable t G St{Tj) such 
that t0 = enca(u0, w). By induction hypothesis, T/ h Let i = enca(ii, f2)- 

As in the previous case, ti cannot be a variable. Therefore , m are two non- variable 
subterms of Tj such that tiO = u6, which impUes that ti = u. (We use here the hypothe- 
ses 2 and 5). 

On the other hand, the last rule in the proof of Tj6 h priv(w) is a decomposition (no 
composition rule can yield a term headed with priv). Then, by Lemma 4.9 (Tj satisfies 
the hypotheses of the lemma since Tj C Tj), there is a non- variable subterm wi € St{Tj) 
such that wi6 = pTiv{w). Let wi = priv(w2)- By induction hypothesis, Tj h priv(«;2)- 

enca,{ti,t2)0 priv{w2)0 

II II 
Tj0\- enca(u6l,w;) Tj^* h priv(w) 

T^e h uo 

By hypothesis 2 of the lemma, t2 and W2 cannot be both non-variable, unless they are 
identical. Then, by hypotheses 3 and 4 of the lemma, we must have t2 = W2. Finally, from 
T! h enca(u, t2),T! h priv(t2) we conclude T^' h u. 

The last rule is a projection rule. 

TjO h {uO.v) 

TjO \- ue 

As before, by simplicity, the last rule of the proof of TjO h {u9, v) must be a decomposition 
and, by Lemma 4.9, there is a non variable term t G St{Tj) such that t9 = {u9, v). We let 
t = {ti,t2). By induction hypothesis, Tj' h t. 

Now, as in the previous cases, cannot be a variable, by minimality of Tj and hypoth- 
esis 1 of the lemma. Next, by hypotheses 2 and 5, we must have ti = u. Finally, from 
T-' h (u, 12) we conclude T/ h u by projection. 

The last rule is an unsigning rule. 

TjO h sigu((/(9,i;) 

Tjd h ue 

This case is identical to the previous one. 
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The last rule is a composition. Assume for example that it is the symmetric encryption 
rule. 

Tje\-vi Tje\-V2 

Tj9 h enc(t;i, V2) 

with u6 = cnc(wi, f2). Since u is not a variable, u = cnc(?ii, 17,2), ui9 = vi, and U2O = 
V2. If ui (resp. U2) is a variable then ui (resp. U2) belongs to V{Ti) since u e St{Ti). By 
point 2 of Definition 3.2 and hypothesis 1 of the lemma, ui G T- (resp. U2 G T/). 

Otherwise, ui and w,2 are non-variables. Then, by induction hypothesis, T/ h ui and 
T/ h U2. Hence in both cases we have T/ h mi and T/ h U2. Thus T/ h u. 

The proof is similar for other composition rules. 

□ 

Lemma 4.11 completeness. If C is an unsolved deducibility constraint system and 
6 is a solution ofC, then there is a deducibility constraint system C, a substitution u, and 
a solution r ofC such that C C and 9 = cft. 

Proof. Consider a constraint Tj Ih tii such that, for any {T h v) eC such that T CTi, 
u is a variable and assume Ui is not a variable. If C is unsolved, there is such a constraint 
inC. 

Since 6' is a solution, Ti9 h Ui9. Consider a simple proof of Ti9 h Ui9. We distinguish 
cases, depending on the last rule applied in this proof: 

The last rule is a composition. Since u is not a variable, u = f{ui, . . . , Un) and Ti9 h 
Uj9 for every j = 1, n. Then we may apply the transformation rule Rf to C, yielding 
constraints Ti Ih Uj in C for every j. 9 is a solution of the resulting deducibiUty constraint 
system C by hypothesis. 

The last rule is an axiom or a decomposition. By Lemma 4.9, there is a non-variable 
term t G St{Ti) such that t9 = Ui9. We distinguish then again between cases, depending 
onf, Uj: 

Case t ^ Ui. Then, since t, Ui are both non- variable terms, we may apply the simphfica- 
tionrule R2 to C: C C where C = Ca and a = mgu{t, Ui). Furthermore, t9 = Ui9, 
hence (by definition of a mgu) there is a substitution r such that 9 = cft. Finally, ^ is a 
solution of C, hence r is a solution of C". 

Case t = Ui. Thenuj G St{Ti). 

(1) If there are two distinct non-variable terms ^1,^2 G St{Ti) such that tiO = t29. 
Then we apply the simplification rule R3, yielding a deducibility constraint system 
C = Ca. As in the previous case, there is a substitution r such that 9 = ar and r is 
a solution of C. 

(2) If there are enca(<i, <2), pi'iv(<3) G St(Ti) such that either t2 or tz is a variable, 
t2 ^ and t29 = 1^9, then we may apply the rule -R3 and conclude as in the previous 
case. 

(3) Otherwise, we match all hypotheses of Lemma 4.10 and we conclude that T/ h Uj. 
Then the rule Ri can be applied to C, yielding a deducibility constraint system, of 
which 9 is again a solution. 

□ 
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4.4 Termination 

The simplification rules also terminate, whatever strategy is used for their application: 

Lemma 4.12. The constraint simplification rules of Figure 2 are (strongly) terminat- 
ing. 

Proof. Interpret any deducibility constraint system C as a pair of non-negative inte- 
gers I{C) = (n, m) where n is the number of variables of the system and m is the number 
of function symbols occurring in the right hand sides of the system (here, we assume no 
sharing of subterms). If C C , then /(C) >iex I{C) where >iex is the lexicographic 
ordering on pairs of integers. Indeed, the first component strictly decreases by applying 
i?2 , , , and any other rule strictly decreases the second component, while not increas- 
ing the first one. The well foundedness of the lexicographic extension of a well-founded 
ordering implies the termination of any sequence of rules. □ 

4.5 Proof of TIneorem 4.3 

Theorem 4.3 follows from Lemmas 4.7, 4.11, and 4.12, by induction on the derivation 
length, and since deducibiUty constraint systems on which no simplification rule can be 
applied must be solved. Note that the extension of the correctness and completness lemmas 
to security properties is trivial. Indeed, if </> is a (in)security property, then is a solution 
of (/i(T if and only if aO is a solution of (j), for any substitutions 6 and a. 

4.6 A decision procedure in NP-time 

The termination proof of the last section does not provide with tight complexity bounds. 
In fact, applying the simplification rules may lead to branches of exponential length (in the 
size of the constraint system). Indeed when applying a simplification rule to a deducibility 
constraint, the initial constraint is removed from the constraint system and replaced by 
new constraint(s). But this deducibility constraint may appear again later on, due to other 
simplification rules. It is the case for example when considering the following deducibility 
constraint system. 



r„ = r„_i U {enc((a;„_i, (x„_i,a)),fc„)} l^- enc(x„,fc„) 

Tn+l *= Tn U [a] Ih Xn 

The deducibility constraint system C is clearly satisfiable and its size is hnear in n. We 
have that 



with (j{xi^i) — (xi, (xi, a)) for < i < n — 1. This derivation is obtained by applying 
rule i?2 and then i?i for each constraint Tj Ih enc(a;i, fcj) with 1 < i < n. The rule i?i 
cannot be apphed to Tn+icr \\- Xniy since xq and the keys fcj are not present in or derivable 
from T„+icr. Note that a' = a U {%(,} is a solution of C and can be easily obtained by 
rule i?2 on the first constraint and then rule Ri on both constraints. 



To = {enc(a,fco)} II- enc(a:o,fco) 
Ti =^ To U {enc((a;o, (a;o,a)),fci)} II- enc(xi,fci) 




To Ih cnc(a;o,A;o) 

T„+iCT Ih Xn<J 
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However, there is a branch of length 3(2" — 1) from T Ih cc^cr leading to T Ih xq (in 
solved form), where T denotes T„+icr. This is easy to see by induction on n. It is true for 
n = 0. Then using only the rules Ri^ ^ and we have 

rr\u^ -Ro / T II- x„_icr „ / T Ih xo «o 

\T \\- {xn-ia,a) \T h (x„_iCT,a) 

T \\- XQ ( rp » 

T Ih a ^ ^ ^"-1^ 

with m = 3(2"~^ — 1) by induction hypothesis. The length of the branch is 2 x 3(2""'^ — 
1) + 3 = 3(2" — 1). This shows that there exist branches of exponential length in the size 
of the constraint. 

We can prove that it is actually not useful to consider deducibility constraints that have 
already been seen before (like the constraint T Ih Xn-ic in our example). Thus we mem- 
orize the constraints that have already been visited. The constraint simplification rules, 
instead of operating on a single deducibility constraint system, rewrite a pair of two con- 
straint systems, the second one representing deducibility constraints that have already been 
processed at this stage: if C C, then 

C\D -^^ C'\D;D\J{C\C') 

The constraints ("memorized") in D are those which were already analyzed (i.e. trans- 
formed or eliminated). The initial constraint system is C; 0. 

First, memorization indeed prevents from performing several times the same transfor- 
mation: 

Lemma 4.13. If C is a deducibility constraint system and C ; C';D' then C n 
D' = 9. 

Proof. 

(C \ £>) n {{C \ C) uD) = ((C \D)nD)u {{C \D)n{C\ C')) = 

□ 

This kind of memorization is correct and complete in a more general setting. We assume 
in this section that the reader is familiar with the usual notions of first-order formulas, first- 
order structures, and models of first-order logic. 

A (general) constraint is a (first-order) formula, together with an interpretation struc- 
ture S. A (general) constraint system C is a finite set of constraints, whose interpretation 
is the same as their conjunction. If cr is an assignment of the free variables of C to the 
domain of S", cr is a solution of C if a, S \= C. In the context of constraint systems, S is 
omitted: the satisfaction relation ^ refers implicitly to S. It is extended, as usual, to entail- 
ment: C ^ C" if any solution of C is also a solution of C. We may consider constraints c 
as singleton constraint systems, and thus write for example c\= c' instead of {c} |= {c'}. 

A (general) constraint system transformation is a binary relation on constraints such 
that, for any sequence (finite or infinite) Ci ^ ■ ■ ■ Cn ^ ■ ■ , there is an ordering > 
on individual constraints such that, for every i, for every c G C, \ Cj+i, we have 

{d e Ci+i I d < c} h c. (4) 
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This expresses the correctness of the transformations: only redundant formulas are re- 
moved. The ordering needs not to be well-founded. 

Our deducibility constraint systems and deducibility constraint simplification rules sat- 
isfy these properties. More precisely, we need to consider the substitutions (partial as- 
signments) as part of the constraint system, in order to fit with the above definition: con- 
straint systems come in two parts: a set of deducibility constraints and a set of solved 
equations, recording the substitution computed so-far. In other words, a sequence of sim- 
pUfication steps Co Ci ^<t2 ■ ■ ■ can be written as a general transformation sequence 
Co ^ (Ci A CTi ) ^ (C2 A (Ti A (72 ) . . . , where substitutions {*Vxi , • • • , *"/x„ } are seen 
as conjunctions of solved equations {xi = ii) A • • • A {xn = tn). 

We show next that for any sequence Cq ~^(ti Ci ~^cr2 • • • of simplification steps there 
is an ordering > on the corresponding general constraints such that (4) holds. 

We start by defining the ordering. First, we order the variables by x > y if, for some i, 
y G V{xai . . .ai). Intuitively, x > y if a; is instantiated before y in the considered 
derivation. Indeed, let ix be the minimum among all indexes i such that xai ^ x if 
this minimum exists and 00 otherwise. Then x > y implies that either < iy, or = iy 
and y G V{xai^). (Note that in this last case we cannot have both y e V{xcFi^) and 
X G V(yai^), by the definition of a mgu.) This observation proves that the relation > on 
variables is an ordering. Next, we let (T Ih u) > {T' Ih u') if 

— either the multiset of variables occurring in T is strictly larger than the multiset of vari- 
ables occurring in T'; such multisets are ordered by the multiset extension of the order- 
ing on variables; 

— or else the multisets of variables are identical, and T' C T; 

— or else T = T' and the multiset of variables in u is strictly larger than the multiset of 
variables in u'; 

— or else, T = T', the multisets of variable are identical and the size of u is strictly larger 
than the size of u'. 

This is an ordering as a lexicographic composition of orderings. Finally, any solved equa- 
tion (i.e. substitution) is strictly smaller than any deducibihty constraint, and equations are 
not comparable. 

The ordering we have just defined could have been used for the termination proof, as it is 
a well-founded ordering. It will now be considered as the default ordering on constraints, 
when a derivation sequence is fixed. 

This ordering also satisfies the above required hypotheses for general constraint system 
transformations, as shown by the proof of the following proposition. 

Proposition 4.14. The simplification rules on deducibility constraint systems form a 
general constraint system transformation. 

Proof. Let Co "^a^ Ci ^-^^i • ■ • be a simplification sequence. We consider the order- 
ing on deducibihty constraints (viewed as general constraints) defined above. 

We show next that (4) holds. Note that in (4), c cannot be a solved equation, because at 
each step solved equations (x = xai) may be added but no equation is eUminated. Thus 
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let (T Ih u) € Ci \ Cj+i, for some i > 0. We need to show that 

/\ T'lhu' A /\ aj \= T II- u (5) 

(T'll-u')eC'.+i l<j<i 
(T'IHu')<(TII-«) 

We investigate the possible transformation rules. 

For the rules R2,R3,R'z, Ci+i = CiOi. We have (T Ih u) > {Tui Ih uai) since 
either the multiset of variables of T<Tj is strictly smaller than the multiset of variables of 
T, or else T = Tai and, in the latter case, either the multiset of variables of u(Ji is strictly 
smaller than the multiset of variables of u or else uui = u. Moreover, ca t\a [= c for all 
constraints c and substitutions u. Indeed, if ^ is a solution of cct A cr then xO = xa9 for 
any x e dom((T). It follows that c9 = caO, and thus 6' is a solution of c. 

Hence, we have in particular that [Tui Ih ucxj) A o-j \= T \- u, which shows that (5) 
holds for this case. 

For the rule Rf, it suffices to notice that {T Ih ui, . . . , T Ih u„} |= (T Ih f{u\, . . . ,Un)) 
and (T Ih Uj) < (T Ih /(wi, . . . , for every i. 

For the rule the constraint T Ih w is a consequence of the (strictly smaller) con- 
straints T' Ih .TforT' C T. 

Finally, the rule i?4 only applies to unsatisfiable deducibility constraints. □ 

The memorization strategy can be defined, as above, for any general constraint system 
transformation. The correctness of the memorization strategy relies on the following in- 
variant: 

Lemma 4.15. For any constraint system transformation ifC;$ C';D', then 

a h D'. 

Proof. We prove, by induction on the length of the derivation sequence the following 
stronger result: Vd G D', {c G C" | c < d} |= d. 

The base case is straightforward as D' is empty. Next, assume that C\D C"; D' . By 
definition, D' = D U {C \ C). If d G C \ C", by definition of a constraint transformation 
rule, {c G C" I c < d} ^ d. If d G -D, by induction hypothesis, {c ^ C \ c < d} \= d. 
Hence {c & C \c < d}\J {c & C\C' \ c < d} \= d. But, again by definition of constraint 
transformations, any constraint in the second set is a consequence of the first set: we get 
{c G C" |c < rf} h rf- □ 

It follows that the memorization strategy is always correct when the original constraint 
transformation is correct. 

Now, the memorization strategy preserves the properties of our deducibility constraint 

systems: 

Lemma 4.16. If C is a deducibility constraint system and C; C; D' then C is 
a deducibiUty constraint system. 

Proof. Let (C^; A) ~^(t,+i (C^+i; with < i < n be the sequence of de- 

ducibility constraint systems obtained by applying successively the simplification rules, 
where Co ^ C, ^ 0, C„ = C", and d C^+i (and thus d+i = C[+^ \ Di, 

and -Di+i = DiU {Ci \ C[j^i)). We know that C[ is a deducibility constraint system, by 
Lemma 4.6. 
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First, the left members of Cj are linearly ordered by inclusion, as they are a subset of 
the left members of C-. 

We consider now the other property of deducibility constraint systems. We let > be the 
ordering on constraints defined before. We show below, by induction on i that, for every 
X G V(Cj), for every (T Ih u) G Di such that x G V{u) \ V(T), there is a (T' Ih u') e d 
such that X G V(u') \ V(r') and (T' Ih u') < (T Ih u). 

Note that this property implies that Cj is a deducibility constraint system: For every 
variable x e V{Ci), there is {T^ Ih u) G C[ such that x e V{u) \ V{T^), as C- is a 
deducibility constraint system. If {Tx Ih u) € Ci then we're done, otherwise [T^ Ih u) G 
Di, and hence, by the stated property, there is (T^ Ih u') G such that x G V(u') \ V(T^). 
This shows that Cj is a deducibility constraint system. 

The property holds trivially for z = 0. For the induction step, let x G V(Ci_|_i) and 
(T Ih u) G C[^i be such that x G V{u) \ V{T). We investigate three cases: 

— if Ci+i is obtained by one of the rules R2,Rz,R'z, then Cj+i = CiUi+x \ Di, and 
X ^ dom(crj+i). We assume w.l.o.g. that T Ih u is a minimal constraint in -Dj+i such 
that X G V{u) \V{T). 

There is (T' Ih w') G such that x G V(m') \ V(T') and (T' Ih u') < (T Ih w): if 
(T Ih u) ^ d, then (T Ih u) G Di and by induction hypothesis, there is a (T' Ih u') G 
C, such that x G V(u') \ V(T') and (T' Ih u') < (T Ih w). 

Let S = {y G V(T') | a; G V{yai+i)}. By induction hypothesis Cj is a constraint 
system, and hence, for every y G S, there is a (minimal) constraint Tj^ Ih My G 
such that y G V('Uy) \ V{Ty). Since y G V(T'), T'y C T'. Let Ti Ih ?ii be a minimal 
element in {Ty \\- Uy \ y G S} U {T' Ih u'}. Suppose that x G V{Tiai+i). Since 
X i V(T') and Ty C T' , it follows that a; ^ V(Ty), and hence there is 2; G V(Ti) such 
that .T G V(zaiJ^\). It follows that z G S and Tj C Ti, which contradicts the minimality 
ofTi Ih ui. Hence a; G V(Micri+i) \ V(ric7i+i). Also iJxOi+x Ih wiCTi+i) < (Ti Ih 
wi) < (T"' Ih u') < (T Ih u). Furthermore, at least one of the inequalities is strict: if 
(T Ih u) G Di the last inequahty is strict, otherwise (T Ih u) G {C{\C[j^^ = (Ci\Cj(t) 
hence {Tai+i Ih uai+i) < {T Ih u). It follows that (Tio-j+i Ih wicTi+i) G Cj+i by 
minimality of T Ih u. 

— if Ci+i is obtained by an Rf rule. We may assume w.l.o.g. that T Ih it is a minimal 
constraint in -Di+i such that x G V{u) \ V(T). 

Either (T Ih u) G Di, in which case, by induction hypothesis, there is {T' Ih u') G Ci 
such that X G V{u') \ V{T') and (T' Ih u') < (T Ih u). If (T' Ih u') G C^+i, 
there is nothing to prove. Otherwise, u' = f{ui, . . . , u„) and, for every j, (T' Ih uj) G 
Ci+iUDi. Moreover, there is an index j such that a; G V{uj)\V{T') and, by minimality 
of T Ih u, (T' Ih Uj) G C,;+i, hence completing this case. 

Or else (T Ih u) G Ci \ C-_,_i, in which case u = /(wi, . . . , u„) and (T Ih Wj) G 
Ci+iUDi. As above, we conclude that for some j, x G V{uj)\V{T), [T Ih Uj) G Ci+i 
and (T Ih u^) < (T Ih u). 

— if Ci+i is obtained by the rule removing a constraint Ti Ih ui, then D^+i = _Di U 
{Ti Ih ui} and, by Lemma 4.6 for any variable y G V(ui) \ V(Ti) there is a strictly 
smaller constraint (T2 Ih U2) G Ci such that G V(u2) \ V(T2). Then we simply apply 
the induction hypothesis. 

□ 
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Theorem 4.17. Let C be a deducibility constraint system, 9 a substitution and (j) a 
security property. 

(7) ( Correctness) IfC;% ^* C"; D' for some deducibility constraint system C and some 
substitution a, if 9 is an attack for C and (pa, then a9 is an attack for C and <p. 

(2) ( Completeness) If 9 is an attack for C and (f), then there exist a deducibility constraint 
system C in solved form, a set of deducibility constraints D' and substitutions a, 9' 
such that 9 = a9', C; ~~** C; D', and 6' is an attack for C and (j)a. 

(3) (Termination) If C; C"; D' for some deducibility constraint system C andsome 
substitution a, then n is polynomially bounded in the size of C. 

Proof. For correctness, we rely on Lemmas 4.7, and 4.15: by Lemma 4.15, any solu- 
tion 9 of C" is also a solution C" U D'ct and, by Lemma 4.7 (and induction), (j9 is a solution 
of C. 

For completeness, from Lemma 4.11, we know that if Ci is an unsolved deducibility 
constraint system and 9 is an attack for Ci and (j), then there is a deducibility constraint 
system C[j^i, a substitution cji, and an attack Ti for C[j^i and (pcji such that Ci -^^i Cj'+i 
and 9 = <7iTi. Then Ti is an attack also for C[^i \ Di and (pa, for any set of constraints 
Di. By Lemma 4.16, we know that when Di represents already visited constraints, then 
^'i+i \ is a deducibility constraint system. We can thus conclude by induction on the 
derivation length n, taking Co — C, Dq = 0, Ci+i — C[j^i \ Di for all i, and C„ = C . 

Concerning termination, we assume a DAG representation of the terms and constraints, 
in such a way that the size of the constraint is proportional to the number of the distinct 
subterms occurring in it. Next, observe that '^St{ta) < ^{St{t) U Uaedom(0) St{x9)). 
Hence, when unifying two subterms of t, with mgu 9, ^St{t9) < ^St{t) since, for every 
variable x G dom(^), x9 is a subterm of t. It follows that, for any constraint system C"; D' 
such that C; -^l C; D', i,St{C') < iSt{C). 

Next, observe that the number of distinct left hand sides of the constraints ttlhs(C") is 
never increasing: j)lhs(C") < jJlhs(C). Furthermore, as long as we only apply the rules 
Ri,Rf, starting from C", the left hand sides of the deducibility constraint systems are 
fixed: there are at most ttlhs(C") of them. Now, since, thanks to memorization, we cannot 
get twice the same constraint, the number of consecutive Ri,Rf steps is bounded by 

)ilhs(C") X t)S'i(rhs(C")) < ttlhs(C) x ^StiC) 

It follows that the length of a derivation sequence is bounded by tJV(C) x jilhs(C) x 
ttS'f(C) (for Ri,Rf steps) plus )iV(C) (for i?2,-R3,i?3 steps) plus 1 (for a possible R4 
step). □ 

Theorem 4. 17 extends the result of [Rusinowitch and Turuani 2001] to sorted messages 
and general security properties. Handling arbitrary security properties is possible as soon 
as we do not forget any solution of the deducibility constraint systems (as we do). If we 
only preserve the existence of a solution of the constraint (as in [Rusinowitch and Turuani 
2001]), it might be the case that the solution of C that we kept is not a solution of the 
property 0, while there are solutions of both and C, that were lost in the satisfiability 
decision of C. In addition, compared to [Rusinowitch and Turuani 2001], presenting the 
decision procedure using a small set of simplification rules makes it more easily amend- 
able to further extensions and modifications. For example, Theorem 4.17 has been used 
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in [Cortier et al. 2006] for proving that a new notion of secrecy in presence of hashes is 
decidable (and co-NP-complete) for a bounded number of sessions. 

Note that termination in polynomial time also requires the use of a DAG (Directed 
Acyclic Graph) representation for terms. 

The following corollary is easily obtained from the previous theorem by observing that 
we can guess the simplification rules which lead to a solved form. 

Corollary 4.18. Any property 4> that can be decided in polynomial time on solved 
deducibility constraint systems can be decided in non-deterministic polynomial time on 
arbitrary deducibility constraint systems. 

4.7 An alternative approach to polynomial-time termination 

Inspecting the completeness proof, there is still some room for choosing a strategy, while 
keeping completeness (correctness is independent of the order of the rules application). 
To obtain even more flexibility, we slightly relax the condition on the application of the 
rule i?2 on a constraint T Ih u: we require unifying a subterm t e St{T) and a subterm 
t' G St{u) (instead of unifying t with v) where, as before, t ^ t', t, t' non- variables. 
Remark that this change preserves the completeness of the procedure. 

Let us group the rules R2, R3, and call them substitution rules S. We write S{u, v) 
if the substitution is obtained by unifying u and v. There are some basic observations: 

(1) If C C -^f C'a, then C Ca -w^/ C'a. Hence we may always move 
forward the substitution rules. 

(2) If Ci -^^f C[ and C2 --^^f C'^, then Ci A C2 ^-"-f C[ A C2 -^^f C[ A and 
Ci A C2 Ci A 6*2 -^^'^ C( A C2, hence any two consecutive applications of Rf 
on different constraints can be performed in any order. 

(3) The rules R\ , R4 can be applied at any time when they are enabled; we may apply 
them eagerly or postpone them until no other rule can be applied. 

(4) If C ^^("^'"^^ Cai ^^("^^I'^^^i) Caia2, then, for some 61, 62, 

C -^^^("^'^^^ C6^ CGia2 

Hence any two consecutive substitution rules can be performed in any order. 

(5) If C -w^ Cg -^^f C'a, and S' 7^ R2, then C •w^/ C' -^l C'a. 

This provides with several complete strategies. For instance the following strategy is 
complete: 

— apply eagerly i?4 and postpone Ri as much as possible 

— apply the substitution rules eagerly (as soon as they are enabled). This implies that 
all substitution rules are applied at once, since the rules Ri,R4,Rf cannot enable a 
substitution. 

— when Ri and substitutions rules are not enabled, apply i?/ to the constraint, whose right 
hand side is maximal (in size). 

Such a strategy will also yield polynomial length derivations, since we cannot get twice the 
same constraint: in any derivation sequence Co ~^o-i • ■ • ~^<7^ Cn, if (T IH u) G Ci \ C^+i 
(we say then that T Ih u has been eliminated at this step), then, for any j > i, (T \\- u) ^ 
Cj. Indeed, for the substitution rules, T Ih u is eliminated only when x e V(T Ih u) and 
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X e dom(crj+i), in which case for any j > i, x ^ V{Cj). And, if T Ih u is eliminated by 
an Rf rule, then |w| = niaxt£|.hs(Ci) 1*1- If> for some j > i, the constraint T \\- u was in 
Cj+i and not in Cj, then we would have max(g|.pis(p^.) |t| > Thus the maximum of the 
sizes of the right hand sides terms would have increased, which is not possible according 
to our strategy. 

Then the complexity analysis of the proof of Theorem 4.17 can be applied here. 

The above observations can also be used to bound the non-determinism (which is useful 

in practice): for instance from (1) and (4), we see that substitution rules can be applied 
"don't care": if we use a substitution rule, we do not need to consider other alternatives. 
More precisely, if S{t, u) is a substitution rule that is applicable to C, let $(C) be the set 
of substitution rules S(t' , u'), which are applicable to C and such that there is no 6 other 
than the identity such that mgu(i, u)9 = mgu(i', u'). Then 

0\=C ^ y 39'. = mgu(t', u')0' 

s{t',u')e<S'iC) 

Similarly, from (5), a right-hand side member that is not unifiable with a non-variable 
subterm of the corresponding left hand side, can be "don't care" decomposed: 

0^C A{T\h f{ui,...,Un)) =^ 0\=C A{T\hui)A...A{T\\-Un) 
if f{ui, . . . , Un) is not unifiable with any non- variable subterm of T. 

5. DECIDABILITY OF ENCRYPTION CYCLES 

Using the general approach presented in the previous section, verifying particular prop- 
erties like the existence of key cycles or the conformation to an a priori given ordering 
relation on keys can be reduced to deciding these properties on solved deducibiUty con- 
straint systems. We deduce a new decidabiUty result, useful in models designed for proving 
cryptographic properties. 

To show that formal models (like the one presented in this article) are sound with respect 
to cryptographic ones, the authors usually assume that no key cycle can be produced during 
the execution of a protocol or, even stronger, assume that the "encrypts" relation on keys 
follows an a priori given ordering. 

For simplicity, and since there are very few papers constraining the key relations in an 
asynmietric setting, in this section we restrict our attention to key cycles and key orders on 
symmetric keys. Moreover, we consider atomic keys for symmetric encryption since there 
exists no general definition (with a cryptographic interpretation) of key cycles in the case 
of arbitrary composed keys and soundness results are usually obtained for atomic keys. 

More precisely, we assume a sort Key C Msg and we assume that the sort of enc is 
Msg X Key Msg. All the other symbols are of sort Msg x • • • x Msg Msg. Hence 
only names and variables can be of sort Key. In this section we call key a variable or a 
name of sort Key. Finally, for any list of terms L, Lg is the set of terms that are members 
of the list. 

In this section, we consider (in)security properties of the form P{L) where P is a pred- 
icate symbol and L is a list of terms. Informally, a will be a solution of P{L) if L^cr 
contains a key cycle. The precise interpretation of P depends on the notion of key-cycle: 
this is what we investigate first in the following section. 
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5.1 Key cycles 

Many definitions of key cycles are available in the literature. They are stated in terms of an 
"encryption" relation between keys or occurrences of keys. An early definition proposed 
by Abadi and Rogaway [Abadi and Rogaway 2002], identifies a key cycle with a cycle 
in the encryption relation, with no conditions on the occurrences of the keys. However, 
the definition induced by Laud's approach [Laud 2002] corresponds to searching for such 
cycles only in the "visible" parts of a message. For example the message enc(enc(fc, k),k') 
contains a key cycle using the former definition but does not when using the latter one and 
assuming that k' is secret. It is generally admitted that the Abadi-Rogaway definition is 
urmecessarily restrictive and hence we wiU say that the corresponding key cycles are strict. 
However, for completeness reasons, we treat both cases. 

There can still be other variants of the definition, depending on whether the relation 
"k encrypts fc'" is restricted or not to keys k' that occur in plain-text. For example, 
enc(enc(o, k), k) may or may not contain a key cycle. As above, even if occurrences 
of keys used for encrypting (as k in enc(TO, k)) need not be considered as encrypted keys, 
and hence can safely be ignored when defining key cycles, we consider both cases. Note 
that the initial Abadi-Rogaway setting considers that enc(cnc(a, k) , k) has a key cycle. 

We write s <st t if and only if s is a subterm of t. C is the least reflexive and transitive 
relation satisfying: si C (si,S2), S2 E (sijSa), and, if s C then s C enc{t,t'). 
Intuitively, s C Hf s is a subterm of t that either occurs (at least once) in clear (i.e. not 
encrypted) or occurs (at least once) in a plain-text position. A position p is a plain-text 
position in a term u if there exists an occurrence q of an encryption in u such that q-\ < p. 

Definition 5.1. Let pi be a relation chosen in {<stj E}. Let 5 be a set of terms and 
k, k' be two keys. We say that k encrypts k' in S (denoted k pf k') if there exist m £ S 
and a term m' such that 

k' pi m' and enc(m', k) E ni- 

For simplicity, we may write p,, instead of pf,ifS is clear from the context. Also, if m is 
a message we denote by p"' the relation pl"^\ 

def 

Let 5 be a set of terms. We define hidden(5') = {k e St{S) \ k of sort Key, 5" 1/ k}. 

Definition 5.2 (Strict key cycle). Let K he a set of keys. We say that a set of terms S 
contains a strict key cycle on K if there is a cycle in the restriction of the relation on K. 
Otherwise we say that S is strictly acyclic on K. 

We define the predicate Pskc as follows: L G Pgkc if and only if the set {to | Lg h to} 
contains a strict key cycle on hidden(Z/s). 

We give now the definition induced by Laud's approach [Laud 2002]. He has showed 
in a passive setting that if a protocol is secure when the intruder's power is given by a 
modified Dolev-Yao deduction system 1-0, then the protocol is secure in the computational 
model, without requiring a "no key cycle" condition. Rephrasing Laud's result in terms of 
the standard deduction system I- gives rise to the definition of key cycles below, as it has 
been proved in [Janvier 2006]. 

To state the following definition we need a more precise notion than the encrypts re- 
lation. We say that an occurrence g of a key k is protected by a key k' in a term to if 
m\qi = enc{m', k') for some term to' and some position q', and the occurrence of A; at g 
in TO is a plain-text occurrence of k in to', that is g' • 1 < q. We extend this definition in 
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the intuitive way to sets of terms. This can be done for example by indexing the terms in 
the set and adding this index as a prefix to the position in the term to obtain the position in 
the set. 

Definition 5.3 (Key cycle [Janvier 2006]). Let K he a set of keys. We say that a set of 
terms S is acyclic on K if there exists a strict partial ordering ^ on K such that for all 
k G K, for all occurrences g of fc in plain-text position in S, there is fc' e if such that 
k' <k and q is protected by k' in 5*. Otherwise we say that S contains a key cycle on K. 

We define the predicate P^c as follows: for any list of terms L, L G P]^^ if and only if 
the set {m | Lg h m} contains a key cycle on hidden(Ls). 

We say that a term m contains a (strict) key cycle if the set {m} contains one. 

Example 5.4. The messages m = enc(enc(fc, k),k') andm' = (enc(fci, fe), enc(enc(A;2, 
ks),ki)) are acyclic, while the message m" — ((enc(fci, fc2), enc(enc(fc2, fci), ^3)), /ca) 
has a key cycle. The orderings k' ~< k and k^ < k^ ^ ki prove it for m and m' while for 
m" such an ordering cannot be found since fcs is deducible. However, all three messages 
have strict key cycles. 

5.2 Key orderings 

In order to establish soundness of formal models in a symmetric encryption setting, the 
requirements on the encrypts relation can be even stronger, in particular in the case of 
an active intruder. In [Backes and Pfitzmann 2004] and [Janvier et al. 2005] the authors 
require that a key never encrypts a younger key. More precisely, the encrypts relation has 
to be compatible with the ordering in which the keys are generated. Hence we also want 
to check whether there exist executions of the protocol for which the encrypts relation is 
incompatible with an a priori given order on keys. 

Definition 5.5 (Key ordering). Let ^ be a strict partial ordering on a set of keys K. We 
say that a set of terms S is compatible with ^ on if if 

fcpf fc' ^ fc' 2< k, for all fc, k' e K. 

Given a strict partial ordering ^ on a set of keys, we define the predicate P^ as follows: 
P-< holds on a list of terms L if and only if the set {m | \- m} is compatible with -< on 
hidden(i^s). 

For example, in [Backes and Pfitzmann 2004; Janvier et al. 2005] the authors choose -< to 
be the order in which the keys are generated: k-<k'ifk has been generated before k' . We 
denote by the negation of . Indeed, an attack in this context is an execution such 
that the encrypts relation is incompatible with -<. 

5.3 Properties that are independent of the notion of key cycle 

We show how to decide the existence of key cycles or the conformation to an ordering in 
polynomial time for solved deducibility constraint systems. Note that the set of messages 
on which our predicates are applied usually contains all messages sent on the network and 
possibly some additional intruder knowledge. 

We start with statements, that do not depend on which notion of key cycle we choose. 

Lemma 5.6. Let S be a set of terms, m be a term and k be a key such that S \- m 
and S\/ k. Then for any plain-text occurrence qofk in m, there is a plain-text occurrence 
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qo in S such that, if there is key k' with S 1/ k', and which protects qo in S, then k' 
protects q in m. 

Proof. We reason by induction on the depth of the proof of S \- m: 

— if the last rule is an axiom, then m G S. We may simply choose g'o = Q- 
— if the last rule is a decryption, then S h cnc{m, k") and S h k" for some k" ^ k. Take 
the position qi = 1 ■ qin enc(m, k"). It is an occurrence of k. Applying the induction 
hypothesis we obtain an occurrence qo of fc in 5 such that, if there is a key k' with S\f k' 
and which protects in S, then k' protects q\ in enc(m, k"). Since S \f k' , it follows 
that k" ^ k' and hence k' protects q in to. 
— ^if the last rule is a another rule, we proceed in a similar way as above. 

□ 

As a corollary we obtain the following proposition, which states that, in the passive case, 
a key cycle can be deduced from a set S only if it already appears in S. 

Proposition 5.7. Let Lbe a list of ground terms, and -< a strict partial ordering on 

a set of keys. The predicate (respectively, Pskc or P^) holds on L if and only if Lg 
contains a key cycle ( respectively, Lg contains a strict key cycle, or the encrypts relation 
on Lg is not compatible with -<). 

Proof. The right to left direction is trivial since Lg C {to | Lg h to}. 

We will prove the left to right direction only for the key cycle property, the other two 
properties can be proved in a similar way. Assume that there is no strict partial ordering 
satisfying the conditions in Definition 5.3 for {to | Lg h to}. In other words, for any strict 
partial ordering -< on hidden(iys) there is a key k and an occurrence g of fc in {to | L,, h m} 
such that for any key k', k' protects q in {to | Lg \- to} imphes k' 7^ k. Using the previous 
lemma we can replace {to | Lg h to} by Lg in the previous sentence, thus obtaining that 
there is a key cycle in Lg . □ 

The next lemma will be used to show that hidden(Ls^) does not depend on the solution 

of a solved constraint C. 

Lemma 5.8. Let T \\- x be a constraint of a solved constraint system C, 6 a solution 
of C and m a non-variable term. IfT6\-m then there is a non-variable term u with 
V{u) C V(T) such that T U V(T) \-uandm = uO. 

Proof. We write C as Ai(^i -^0' with 1 < i < n and C T^+i. Consider the 
index i of the constraint T Ih x, that is such that (Tj Ih Ui) G C,Ti = T and Ui = x. The 
lemma is proved by induction on {i, I) (considering the lexicographical ordering) where I 
is the length of the proof of Tid h to. Consider the last rule of the proof: 

— (axiom rule) to G TiO. Then there is m e such that to = u6. If u is a variable 
then there is j < i such that Tj Ih u is a constraint of C. We have TjO h uO. Then 
by induction hypothesis there is a non-variable term u' with V(u') C V{Tj) such that 
Tj U V{Tj) h u' and u9 = u'6. Hence u' satisfies the conditions. 

— (decomposition rule) Suppose the rule is the decryption rule. Then the premises of the 
rule are T^O h enc(TO, k) and Ti9 h k for some term k. By induction hypothesis there 
are non- variable terms ui and U2 with V(ui), V(u2) C V{Ti) such that Tj U V(Tj) h u\, 
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Ti U V(Tj) h U2, ui9 = enc(m, k) and U2O = k. Then m = enc('«, u'^) with u9 = m 
and = A;. If u is a variable then, as in the previous case, we find an u' satisfying 
the conditions. Suppose u is not a variable. We still need to show that Ti U V{Ti) h u. 
If U2 is a variable then Tj U V(Ti) h U2 since 1*2 G V(Tj). If ttj is not a variable then 
U2^ = u'2 hence U2 = ^2. In both cases it follows that Tj U V{Ti) h u. The projection 
rule case is simpler and is treated similarly. 
— (composition rule) This case follows easily from the induction hypothesis applied on the 
premises. 

□ 

Corollary 5.9. LetT II- x be a constraint of a solved deducibility constraint system 
C, and 6, 9' be two solutions ofC. Then for any key k,T9\- k if and only ifT9' h k. 

Proof. Suppose that T9 h k. From the previous lemma we obtain that there is a non- 
variable u with V{u) C V{T) such that T U V(T) h u and k = u9. Since keys are atomic 
and is a ground substitution it follows that u = k. Hence T9' U {x9' \ x G V{T)} h k. 
So TO' h k, since 6' is a solution (and thus T6' h x9' for all a; e V(T)) and by using 
Lemma 4.5. □ 

5.4 Decision results 

On solved deducibility constraint systems, it is possible to decide in polynomial time, 
whether an attacker can trigger a key cycle or not, whatever notion of key cycle we con- 
sider: 

Proposition 5.10. Let C be a solved deducibility constraint system, L be a list of 
messages such that V{Ls) C V(C) and Ihs(C) C Lg, and -< a strict partial ordering on 
a set of keys. Deciding whether there exists an attack for C and P{L) can be done in 
0{\L\^),foranyP & {Pkc,Pskc,P^}. 

We devote the remaining of this section to the proof of the above proposition. 

We know by Proposition 5.7 that it is sufficient to analyze the encrypts (or protects) 
relation only on Ls9 (and not on every deducible term), where ^ is an arbitrary solution. 

We can safely assume that there is exactly one deducibility constraint for each variable. 
Indeed, eliminating from C all constraints T' II- a; for which there is a constraint T II- a; in 
C with T C T' we obtain an equivalent deducibility constraint system C" : u is a solution 
of C iff it is a solution of C. Let tx be the term obtained by pairing all terms of Tx (in 
some arbitrary ordering). We write C as Ai(^i ^0' with 1 <i <n and Tj C Tj+i. We 
construct the following substitution r = ri . . . t„, and tj is defined inductively as follows: 

- dom(ri) = {xi} and XiTi = t^i 

- Ti+l = n U J. 

The construction is correct by the definition of deducibiUty constraint systems. It is clear 
that T is a solution of C. We show next that it is sufficient to analyze this particular solution. 

Key cycles. We focus first on the property Pkc- 

Lemma 5.11. Let C be a solved deducibility constraint system, L a list of terms such 
that V{L) C V(C), Ihs(C) C Lg, and assume P is interpreted as Pkc. Then there is an 
attack for C and P{L) if and only ifr is an attack for C and P{L). 
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Proof. We have to prove that if there is no partial ordering satisfying the conditions in 
Definition 5.3 for the set Ls6 (according to Proposition 5.7) then there is no partial ordering 
satisfying the same conditions for L^r. Suppose that there is a strict partial ordering -< 
which satisfies the conditions for LgT. We prove that the same partial ordering does the 
job for Ls6. 

Let C" = C A {Ls \'r z) where z is a new variable. C" is a deducibility constraint system 
since Ihs(C) C L^. We write C" as Ai(Ti H" Xi), with 1 < z < n and Tj C Tj+i. We prove 
by induction on i that for all A; e hidden(Ls^), for all plain-text occurrences of fc in TiQ 
there is a key fc' G hidden(Ls0) such that k' <k and fc' protects q in Tfi. It is sufficient to 
prove this since for i = n we have Tj = Lg. Remark also that from Corollary 5.9 applied 
to Lg Ih z we obtain that hidden(is^) = hidden(LsT). 

For j = 1 we have Ti =T\0 = T\t hence the property is clearly satisfied for Q since it 
is satisfied for r. 

Let i > 1. Consider an occurrence of a key fc e hidden(is^) in a plain-text position 
of w for some w G T^ff. Let t E Ti such that w = f^. 

If g is a non-variable position in t then it is a position in tr. And since r is a solution 
we have that there is a key k' € hidden(Lsr) (hence k' € hidden(Ls^)) such that k' -<k 
and q is protected by k' in tr. The key k' cannot occur in some xt, with x G V(t), since 
otherwise k' is deducible (indeed xr = k' since the keys are atomic and TxT \- xt). Hence 
k' occurs in t. Then k' protects q in t, and thus in w also. 

If q is not a non-variable position in t then there is a variable Xj G V(i) with j < i such 
that the occurrence q in is an occurrence of k in a;j6' (formally q = p-q' where p is some 
position of xj in t and g' is some occurrence of k in x^^). Applying Lemma 5.6 we obtain 
that there is an occurrence qo of k in TjO such that if there is a key k' with Tj(? 1/ fc' and 
which protects qo in T^^ then /c' protects q' in Xjf?. The existence of the key k' is assured 
by the induction hypothesis on TjO. Hence k' protects q' in xjO and thus q in w. since 
otherwise there is a; G V{Ls) such that xt = k', which implies that k' ^ hidden(Ls). 
Then q' is a position in LgO. Moreover q' protects q in Lg9. 

If g is not a non- variable position in then there is a variable x G V(-Ls) such that □ 

Hence we only need to check whether r is an attack for C and P{L). Let K = 
hidden(isT). We build inductively the sets Kq = <l> and for alH > 1, 

Ki = {k G K \ \/q G PoSp(A;, L^t) 3k' s.t. k' protects g and A;' G -f^i-i} 

where PoSp(TO, T) denotes the plain-text positions of a term to in a set T. Observe that for 
alH > 0, isTj C Ki+i. This can be proved easily by induction on i. Moreover, since K is 
finite and Ki C K for alH > 0, then there is / > such that Ki = Ki for all i > I. 

Lemma 5.12. There exists i>0 such that Ki = K if and only ifLT G Pkc- 

Proof. Consider first that there exists i>0 such that Ki = K. Then take the following 
strict partial ordering on K: k' ^ k if and only if there is j > such that k' G Kj and 
k ^ Kj. Consider a key k € K and a plain-text occurrence g of A; in LgT. Then take / > 1 
minimal such that k G Ki. By the definition of Ki there isk' G K such that k' protects g 
and k' G Ki-i. Since I is minimal k ^ Ki-i. Hence k' -< k. Thus Lt G Pkc- 

Consider now that t is a solution. Suppose that Ki+i = Ki C. K. Let k G K \ Ki^i. 
Since k ^ i^i+i there is a plain-text occurrence q of k such that for all k' G K either 
k' does not protect g, or k' ^ Ki. But since r is a solution, there is k" G K such that 
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k" protects q and k" -< k. It follows that k" ^ Ki, and thus k" ^ -ft^i+i. Hence for an 
arbitrary k G K \ -fCj+i we have found k" G K \ -fCj+i such that k" -< k. That is, we 
can build an infinite sequence . . . -< k" ^ k with distinct elements from a finite set - 
contradiction. So there exists i > such that Ki = K. □ 

Hence to check whether Lt e Pkc, we only need to construct the sets Ki until Ki+i = 
Ki and then to check whether Ki = K. This algorithm is similar to a classical method 
for finding a topological sorting of vertices (and for finding cycles) of directed graphs. It 
is also similar to that given by Janvier [Janvier 2006] for the intruder deduction problem 
considering the deduction system of Laud [Laud 2002]. 

Regarding the complexity, there are at most jJJC sets to be build and each set Ki can 
be constructed in 0{\LgT\). If a DAG-representation of the terms is used then \LgT\ e 
0(|Ls|). This gives a complexity of x \Lg\) for the above algorithm. 

Strict key cycles and key orderings.. For the other two properties Pgkc and we pro- 
ceed in a similar manner. 

Lemma 5.13. Let T \\- xbea constraint of a solved deducibility constraint system C 
and 6 be a solution. Let m, u, k be terms such that 

T6\- m and enc(u, A;) C m and T6 \f k. 

Then there exists a non-variable term v such that v Q w for some w £ T and v9 
I ■ I k). 

Proof. We write C as Ai(^i ^i)^ with 1 < i < n and Tj C Tj+i. Consider the 
index i of the constraint T Ih a;, that is such that Tj Ih G C, Tj = T and Ui = x. The 
lemma is proved by induction on (i, I) (lexicographical ordering) where I is the length of 
the proof of TiO V- m. Consider the last rule of the proof: 

— (axiom rule) m = tO for some t £ Ti. We can have that either there is i' C ^ such that 
t'6 = enc{u, k), or enc(u, k) C y9 for some y e V{t). In the first case take v = t', 
w = t. In the second case, by the definition of deducibility constraint systems, there 
exists {Tj Ih y) e C with j < i. Since TjO h and Tj9 \f k (since Tj C Ti\ we 
deduce by induction hypothesis that there exists a non- variable term v such that v^w 
for some w G Tj, hence w G Ti and vB = cnc{u, k). 

— (decomposition rule) Let m' be the premise of the rule. We have that Ti9 h to' (with 
a proof of a strictly smaller length) and m ^ m' thus enc(u, k) C m'. By induction 
hypothesis, we deduce that there exists a non- variable term v such that v Q w for some 
w &Ti and v6 — euc{u, k). 

— (composition rule) All cases are similar to the previous one except if m = enc(u, k) and 

the rule is ^ ''' — \ . But this case contradicts TiO W k. 

b \- enc(a;, y) 

□ 

The following simple lemma is also needed for the proof of Lemma 5.15. 

Lemma 5.14. Let T \\- x be a constraint of a solved deducibility constraint system C, 
6 be a solution, k G hldden(T^), and m a term such that T6\-m.Ifkp\m then there is 
t €T such that k pi t. 
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Proof. We write C as Ai(^i a^i), with 1 < z < n and C Tj+i. Consider the 
index i of the constraint T \\- x, that is such that (Tj Ih Uj) e C, Tj = T and w, = x. The 
lemma is proved by induction on (i, I) (considering the lexicographical ordering) where I 
is the length of the proof of TiO h m. Consider the last rule of the proof: 

— (axiom rule) m G Ti6 or ma public constant. If m is a public constant then k ^ m 
since k € hidden(T0). Thus there is t G Ti such that rn = tO. If k pit then we're done. 
Otherwise there is a variable y € V{t) such that k pi yO. Also, there is j < i such that 
Tj Ih y is a constraint of C. Then, by induction hypothesis, there is t' € Tj, hence in Tj, 
such that k Pit'. 

— (composition or decomposition rale) By inspection of all the composition and decom- 
position rules we observe that there is always a premise TiO h m' with k p\ rn! for some 
term m'. The conclusion follows then directly from the induction hypothesis. 

□ 

The following lemma shows that it is sufficient to analyze r when checking the proper- 
ties Pgfec and P^. 

Lemma 5.15. Let C be a solved deducibility constraint system, L a list of terms such 
that V{L) C V(C) and Ihs(C) C Lg, and 9 a solution ofC. For any k, k' G WMen{Lg9), 
ifk encrypts k' in L^O then k encrypts k' in LgT. 

Proof. Remember that hidden(Ls0) = hidden(LsT) (Corollary 5.9). 

Consider two keys k, k' G hiMen{Ls9) such that k encrypts k' in Ls9. Then there 
are terms u, u' such that u' G Ls9, enc(M, k) C u' and k' pi u. We can have that either 
(first case) there are u, w such that w C w G Lg, v non-variable and enc(w, k) = v6, or 
(second case) enc(w, k) C x6 with x G V{Ls). In the second case, consider the constraint 
(Tx Ih x) G C. We have T^O h x6. Hence we can apply Lemma 5.13 for x9, u and k to 
obtain that there exists a non- variable term v such that v for some w G and v9 = 
enc(w, k). Hence, in both cases, we obtained that there is a non-variable term v G St{Ls) 
(since C L^) such that v9 = enc(u, k). Thus there is vq such that v = enc(wo, k). 
Indeed, otherwise v = cnc(wo,y) for some y G V(Ls), hence y G V(C). Since C is 
solved we have Tya h ya. But ya = k, contradicting k G hidden(Ls^). 

We have vo9 = u. Since k' pi u and k' is a name or a variable, we can have that k' pi vq, 
or k' pi y9 for some y G V(i)o). If k' pi vq then k encrypts k' in L^, hence in LgT also. 
If k' pi y9 then from the previous lemma k' pi t for some t G Ty, and hence fc' pi yr. 
Therefore in both cases we have that k encrypts k' in LgT. □ 

We deduce that deciding whether there is an attack for C and P{L), when P is inter- 
preted as Pgfec, can be done simply by deciding whether the restriction of the relation p^'"^ 
lo K X K is cyclic. 

Deciding whether there is an attack for C and P{L), when P is interpreted as P^, can 
be done by deciding whether the restriction to if x fiT of the relation p^"''' has the following 
property Q: there are k,k' G K such that kp^''^k' and k ^ k' . 

Checking the cyclicity of the relation p^"'^ reduces to checking the cyclicity of the cor- 
responding directed graph, using a classic algorithm in 0(1/^ p). Then, checking the prop- 
erty Q can be performed by analyzing all pairs {k,k') G K x K hence also in 0{\K\^). 

Verifying any of the three properties requires a prehminary step of computing K = 
hidden(LsT). Computing deducible subterms can be performed in linear time, hence this 
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computation step requires 0(|Lst|). \L,t\ < |i«| + |r| < [L^l + 0(|C|). If Ihs(C) C L^, 
then \Lst\ = 0{\L\). It follows that the complexity of deciding whether there is an attack 
for C and P{L) is when P is interpreted as Pkc, Pskc or P^. 

5.5 NP-completeness 

Let C be a deducibility constraint system and L a list of terms such that V{Ls) Q V(C) 
and Ihs(C) C Lg. The NP membership of deciding whether there is an attack for C and 
P{L) (for our 3 possible interpretations of P) follows immediately from Corollary 4.18 
and Proposition 5.10. 

NP-hardness is obtained by adapting the construction for NP-hardness provided in [Rusi- 
nowitch and Turuani 2003]. More precisely, we consider the reduction of the 3SAT prob- 
lem to our problem. For any 3SAT Boolean formula we construct a protocol such that the 
intruder can deduce a key cycle if and only if the formula is satisfiable. The construction 
is the same as in [Rusinowitch and Turuani 2003] (pages 15 and 16) except that, in the 
last rule, the participant responds with the term cnc(fc, k), for some fresh key k (initially 
secret), instead of Secret. Then it is easy to see that the only way to produce a key cycle 
on a secret key is to play this last rule which is equivalent, using [Rusinowitch and Turuani 
2003], to the satisfiabiUty of the corresponding 3SAT formula. 

6. AUTHENTICATION-LIKE PROPERTIES 

We propose a simple decidable logic for security properties. This logic enables in particular 
to specify authentication-like properties. 

6.1 A simple logic 

The logic enables terms comparisons and is closed under Boolean cormectives. 

Definition 6.1. The logic £ is inductively defined by: 

(p ::= [mi = 1712] \ ^(f) \ (pV (p \ (f) A (p \ 1. mi,m2 terms 

V((/>) is the set of variables occurring in its atomic formulas. 

(7 1= [mi = if TOicr and m2(T are identical terms, a ^_L. This satisfaction relation 
is extended to any of the above formulas, interpreting the Boolean cormectives as usual. 

Example 6.2. Let us consider again the authentication property introduced in Exam- 
ple 3.8. There is an attack on authentication between A and B if A and B do not agree on 
the nonce sent by A for B, that is if a; = at the end of the run of the protocol. This 
can be expressed by the following formula 

01 = [a; ^ n'J 

The substitution (Ti (assigning x to n„) is an attack for C{ (defined in Example 3.8) and (pi 
and demonstrates a failure of authentication. 

More sophisticated properties can be expressed using the logic £. For example, when 
two sessions of the same role are executed, one can expressed that an agent has received 
exactly once the right nonce rio, with the following formula. 



(p2 = {[Xl 



= ria] A [X2 ^ Ua]) V {[xi ^ Ua] A [X2 = 
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where xi (resp. X2) represents the nonce received by the agent in the first (resp. second) 
session. 

We can also express properties of the form: if two agents agree on some term u, they 
also agree on some term v. This can be indeed modeled by the formula 

03 = [ui U2] [vi = V2] 

where ui (resp. U2) represents the view of u by the first (resp. second) agent and vi (resp. 
V2) represents the view of v by the first (resp. second) agent. The formula A ^ B is the 
usual notation for the formula -^A V B. 

6.2 Decidability 

Theorem 6.3. Let C be a deducibility constraint system and (f> be a formula of C 
Deciding whether there is an attack for C and (j) can be performed in non-deterministic 
polynomial time. 

Proof. First, choosing non-deterministically 0i or ^2 in any subformula V ^2, we 
may, w.l.o.g. only consider the case where ^ is a conjunction /\j[uj = u'j] A (pa, where 
'^d = Aiivi ^ v'^j. 

Let (T be a mgu (idempotent, which does not introduce new variables) of /\- uj = Uj. 
The deducibility constraint system C has a joined solution with (f> if and only if C(t and 
(j)dcr have a common solution. As in the previous sections, we choose a representation 
of expressions, such that applying a mgu of subterms of an expression e on e does not 
increase the size of the expression e. 

We are now left to the case where we have to decide whether a deducibility constraint 
system has a solution together with a property of the form (j) = [u< ^ Vi]. 

Applying Theorem 4.3, there exists a solution 9 of C and c6 if and only if there exist a 
deducibility constraint system C" in solved form and substitutions a, 9' such that 9 = a9', 
C -w* C and 9' is an attack for C and (pa. Thus, we are now left to decide whether 
there exists a solution to a solved constraint system C and a formula (pa of the form 

If, for some i, Ui is identical to Vi, then there is clearly no solution. We claim that, 
otherwise, there is always a solution. This is an independence of disequation lemma (as 
in [Colmerauer 1984] for instance), and the proof is similar to other independence of dise- 
quations lemmas: 

Lemma 6.4. Let C be a solved deducibility constraint system and cp be the formula 

t\ ^ u\ K . . . f\tn ^ Un such that V{<p) C V(C) and, for every i, ti is not identical to Ui. 
Then there is always a solution 9 of C and (p. 

This is proved by induction on the number of variables of (p. In the base case, there is no 
variable and the result is trivial as is a tautology. 

Let To be the smallest left-hand side of C. Tq must be a non empty set of ground terms. 
Note that there is an infinite set of deducible terms from Tq. 

Let X G V{(p). For each i, either U = m has no solution, in which case U ^ m is always 
satisfied, or else let S = {xai \ ai = mgu(t,;, w,;)}. We choose tx such that T h tx and 
tx ^ S. This is possible since S is finite and there are infinitely many terms deducible 
from T. Now, for every i, ti p^/^] is not identical to Ui p^'/x] by construction. Hence, we 
may apply the induction hypothesis to (pl^^/x] and conclude. □ 
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7. TIIVIESTAIVIPS 

For modeling timestamps, we introduce a new sort Time C Msg for time and we assume 
an infinite number of names of sort Time, represented by rational numbers or integers. We 
assume that the only two sorts are Time and IVlsg. Any value of time should be known to 
an intruder, that is why we add to the deduction system the rule -^-j^ for any name a of 

iD \ CI 

sort Time. All the previous results can be easily extended to such a deduction system since 
ground deducibility remains decidable in polynomial time. 

To express relations between timestamps, we use timed constraints. 

Definition 1 A. An integer timed constraint or a rational timed constraint T is a con- 
junction of formulas of the form 

where the aj and /? are rational numbers, x e {<,<}, and the Xj are variables of sort 
Time. A solution of a rational (resp. integer) timed constraint T is a closed substitution 
a = {'^^/xi, ■ ■ ■ ■> '"'/xk}' where the Ci are rationals (resp. integers), that satisfies the con- 
straint. 

Such timed properties can be used for example to say that a timestamp xi must be 
fresher than a timestamp X2 (xi > X2) or that xi must be at least 30 seconds fresher than 

X2 (Xl > X2 + 30). 

Example 7.2. We consider the Wide Mouthed Frog Protocol [Clark and Jacob 1997]. 

A^S: A,enc{{Ta,B,Kab),Kas) 
S^B: enc{{T,,A,K,b),Kbs) 

A sends to a server 5 a fresh key Kab intended for B. If the timestamp is fresh enough, 
the server answers by forwarding the key to B, adding its own timestamps. B simply 
checks whether this timestamp is older than any other message he has received from S. As 
explained in [Clark and Jacob 1997], this protocol is flawed because an attacker can use the 

server to keep a session alive as long as he wants by replaying the answers of the server. 
This protocol can be modeled by the following deducibility constraint system: 

def 

Si = {a,b,.s,{a,cnc{{0,b,kab),ka8))} 11" {a,enc{{xti,b,yi),kas)),xt2 (6) 

82'^= SiU {cnc{{xt^,a,yi),kbs)} 11" (b,enc{{xt^,a,y2),kbs)),xti (7) 

S'3 52 U {cnc((a;t4, 6,2/2), fcas)} 'I" (a, enc((a;ig , 6, 2/3), /cas)), a;t6 (8) 

S4, = S3U{enc{{xtg,a,y3),kbs)} l^- enc{{xtj,a,kab),kbs) (9) 

where 2/1,1/2, 2/3 are variables of sort IVlsg and Xt^, - . ■ , Xtj are variables of sort Time. We 
add expUcitly the timestamps emitted by the agents on the right hand side of the constraints 
(that is in the messages expected by the participants) since the intruder can schedule the 
message transmission whenever he wants. Note that on the right hand side of constraints 
we do have terms, but by abuse of notation we have omitted the pairing function symbol. 

Initially, the intruder simply knows the names of the agents and A's message at time 0. 
Then S answers alternatively to requests from A and B. Since the intruder controls the 
network, the messages can be scheduled as slow (or fast) as the intruder needs it. The 
server S should not answer if A's timestamp is too old (let's say older than 30 seconds) 
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thus S"s timestamp cannot be too much delayed (no more than 30 seconds). This means 
that we should have < xt^ + 30. Similarly, we should have Xt^ < Xt^ + 30 and 
Xte < a^«5 + 30. The last rule corresponds to i?'s reception. In this scenario, B does not 
perform any check on the timestamp since it is the first message he receives. 

We say that there is an attack if there is a joined solution of the deducibility constraint 
system and the previously mentioned time constraints together with xtj > 30. This last 
constraint expresses that the timestamp received by B is too large to come from A. Al- 
together, the time constraint becomes Xt2 < Xt^ + 30 A Xt^ < Xt^ + 30 A Xt^ < 
Xt^ + 30 A Xtj > 30. Then the substitution corresponding to the attack is 

rr — fkab/ k^b / k^b / k^b I 0/ 30/ 30/ 60/ 60/ 90/ 90/ i 
" ~ l lyii IV21 IV3t IVil IXt^-i Ixt^i Ixt^i Ixt^i Ixt^i /xtgi Ixt^l- 

Proposition 7.3. There is an attack to a solved deducibility constraint system and a 
time constraint T ijfT has a solution. 

Proof sketch. Let C be a solved deducibility constraint system, and T a timed con- 
straint. Let yi , . . . , 2/„ be the variables of sort Msg in C and xi,. . . ,Xk the variables of 
sort Time in C. Clearly, any substitution a of the form yicr = Ui where Ui G Si for some 
{Si II" Vi) G C and Xi(j = ti for ti any constant of sort Time is a solution of C. Let a' be 
the restriction of a to the timed variables xi,. . . ,Xk. 

a is an attack for C and T if and only if a' is a solution to T. Thus there exists an attack 
for C and T if and only if T is satisfiable. □ 

Corollary 7.4. Deciding whether a deducibility constraint system, together with a 
time constraint, has a solution is NP-complete. 

Proof. The NP membership follows from the NP membership of time constraint satis- 
fiability. Theorem 4.3 and Proposition 7.3. 

NP-hardness directly follows from the NP-hardness of deducibiUty constraint system 
solving, considering an empty timed constraint. □ 

8. CONCLUSIONS 

We have shown how, revisiting the approach of [Comon-Lundh and Shmatikov 2003; Rusi- 
nowitch and Turuani 2003], we can preserve the set of solutions, instead of only deciding 
the satisfiabiHty. We also derived NP-completeness results for some security properties: 
key-cycles, authentication, time constraints. 

Since the constraint-based approach [Comon-Lundh and Shmatikov 2003; Rusinowitch 
and Turuani 2003] has already been implemented in AVISPA [Armando et al. 2005], it is 
likely that we can, with only slight efforts, adapt this implementation to the case of key 
cycles and timestamps. 

More generally, we would like to take advantage of our result to derive decision proce- 
dures for even more security properties. A typical example would be the combinations of 
several properties. Also, we could investigate non-trace properties such as anonymity or 
guessing attacks, for which there are very few decision results (only [Baudet 2005], whose 
procedure is quite complex). 

Regarding key cycles, our approach is valid for a bounded number of sessions only. Se- 
crecy is undecidable in general [Durgin et al. 2004] for an unbounded number of sessions. 
Such an undecidability result could be easily adapted to the problem of detecting key cy- 
cles. Secrecy is decidable for several classes of protocols [Ramanujam and Suresh 2003; 
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Comon-Lundh and Cortier 2003; Blanchet and Podelski 2003; Verma et al. 2005] and an 
unbounded number of sessions. We plan to investigate how such fragments could be used 
to decide key cycles. 

Acknowledgments.. We are particularly grateful to Michael Backes, Michael Rusinow- 
itch, Stephanie Delaune, and Bogdan Warinschi for their very helpful suggestions. 
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